With all the chaos going on in the world, the threat landscape is more complicated than ever and organizations may find themselves struggling to keep up. So, what’s the secret for managing threat today? Keep it simple.
Whether it is cyber security or physical security, the basics still work and should be the top priority. These are the top five physical security practices with their cyber security counterparts:
- Ensure alarms are on and working effectively / Use a firewall and ensure it is working effectively
- Have documentation of your threat management practices / Have documentation of your cyber security policies
- Have a plan to protect employee devices / Have a plan for employee device usage
- Enforce strict key controls and access standards / Enforce safe password practices and document sharing
- Retain and back up surveillance video according to policy / Back up and secure data on a regular basis
When the basic needs for physical and cyber security are not met, it is hard to deploy more sophisticated security technology and practices. It would be like building a house on shaky foundation. The basics are still the most effective way for securing your organization’s assets and locations. Ensuring that these foundational standards are met at every location can be a challenging process, but it is one that should not be overlooked. Good physical/cyber security hygiene is the practice of maintaining systems both physically and systemically.
Solely responding to threats, is not an effective approach to good physical and cyber security health.  As security professionals, it is critical we proactively anticipate threats to make sure we are properly managing risks for our organization. How we budget our capital, time, or resources are an important part of staying ahead of the game. Due to the seemingly random nature of threats, it can seem like an impossible task.
Threats seem unpredictable, but they are not entirely random. External forces, that we can recognize, play a large part in threat distribution. For this I recommend following a framework. A framework that I think works great for this is the PESTEL framework. This is a systematic way of categorizing threats to make sure we are considering all the vectors of threats.
The PESTEL analysis method helps security and compliance professionals mitigate threats by providing a framework to consider all possible threat vectors. The PESTEL method was created in 1967 by a Harvard Business School professor, Francis Aguilar as a framework to understand external influences during strategic business planning. For security and compliance professionals, it works in the same way. It provides a framework to understand external influences that contribute to risks and threats.
PESTEL is an acronym for categories we use to map out threats: political, economic, socio-cultural, technological, environmental, and legal:
PoliticalGeopolitical events, governmental policies, leadership, taxes, and regulations all contribute to political influences. Political events and especially the public reaction to those events can have a massive impact on threats to our organization. Once again it is hard to tell the future, but if we prepare ourselves for the potential effects certain changes might have, we can properly allocate resources to minimize the cost of these threats.
Economic Inflation, interest rate, GDP, CPI, labor cost, and the overall economic environment are example of economic influences to potential risks and threats. Depending on the industry you are in, these influences may affect your organization differently, but responding proactively to changes in economic trends is important to protecting your businesses.
Social Demographics, consumer attitudes, opinions, buying patterns, population growth rate, generational, employment rate, ethical and religious trends, civil unrest, and living standards. This may seem like a broad category, but we should make sure we are understanding social and demographic trends and analyzing how that might affect our businesses.
Technological Equipment used in production of goods and services, new and innovative ways of distributing goods and services, new communication methods, artificial intelligence, machine learning, accelerated processing speeds, new hacking methods, and new devices used by criminals. The important piece here is understanding how new technologies might be utilized by criminals or bad actors. Also, how old technologies may be opening ourselves up to vulnerabilities.
Environmental Raw materials, pollution and carbon footprint, ethical and sustainability challenges, weather events and global warming. This may be the most unpredictable of all, but we should be taking into account the massive costs that weather events have on our organizations.
Legal Liability, health and safety, equal opportunity, advertising standards, consumer rights and law, product labeling, and product safety are some examples of legal influences. Law changes, like bail reform, can have a great impact on how our businesses are targeted by bad actors.
The importance of the PESTEL analysis method is that it gives a framework for organizations to use so they can proactively mitigate risks and minimize threats rather than reactively. It also gives organizations an opportunity for cross department collaboration when dealing with threat management.
About the Author:
Tom Meehan, CFI, is recognized industry leader and expert in risk, cybersecurity, information technology and FinTech. As the president of CONTROLTEK, a global leader in tamper-evident security packaging, retail asset protection and RFID solutions, Meehan drives the company’s strategic vision, sustainable business practices, and company culture. Meehan shares his wealth of knowledge and expertise in his roles as retail technology editor at Loss Prevention Magazine, host of The Cash News Podcast, co-host of the Loss Prevention Research Council podcast CrimeScience and the organization’s senior technology advisor.