Remote working has challenged the way we think about the workplace. Embracing a hybrid model of work, companies have learned to live with employees in both the physical and digital realms. For CSOs the continued rise of the digital workplace means more vulnerability points to watch as digital hackers try to take advantage of backdoors into company digital infrastructure.
A hybrid work model also leaves the physical workplace more chaotic. With employees, guests, and other groups coming in and out, physical security can be left wondering how to verify exactly who is in the office and when. This increases the likelihood of physical intruders, another vulnerability for CSOs to consider.
With remote work, you’ve also got unattended mail, packages, courier packets, and hand-delivered items that are sitting on someone’s desk, potentially for days or weeks, until they come in and pick it up. That creates a new security vulnerability tha may not have been apparent to companies before, and it can leave them vulnerable to a new avenue of attack. This new form of cyberterrorism has been nicknamed “phygital” threats, a portmanteau of “physical” and “digital.”
You might already be aware that company mail can be a source of security risks ranging from bomb threats to anthrax scares. But according to Charles Henderson, head of IBM’s offensive operations unit, companies also need to be wary of electronic hacking devices: “With the volume of packages that flow through a mailroom daily, whether it’s supplies, gifts, or employees’ personal purchases, no one ever thinks to second guess what a package is doing here.”
These phygital attacks represent a sort of modern day Trojan horse strategy, known as “warshipping.” Merely one kind of phygital threat, warshipping hides physical hacking devices in packages—some as small as a single book—or on the persons of guests or even employee accomplices. The devices then either attach themselves to a company’s wireless network or enter through a USB port should someone be curious enough to plug them into a computer. The results can be significant business disruptions, major data loss, or even a complete system shutdown.
Phygital attacks are easy for almost anyone to launch, and cost next to nothing: the technology needed for warshipping can cost as little as $100. Companies that work with critical infrastructure, like utilities and energy, are often key targets for large-scale hackers, but the ease of use and low financial barrier opens even small companies to the threat of these effective attacks.
See the problem
Our growing appetite for WiFi-enabled objects in our daily lives has increased the threat of warshipping. The Internet of Things (IoT) has digitized so many of the electronic objects around us everyday—from security cameras and headsets to thermostats and coffee machines. The increased digitization is creating a growing number of entry points for hackers to abuse.
CSOs are understandably so focused on the digital aspect of cybersecurity that they may not have any security protocols for phygital attacks in place. Security personnel need to first acknowledge the security battlefield is much larger than just the digital sphere.
Strategies like warshipping mean CSOs need to take into account possible physical vulnerabilities like packages, guests, employee belongings, etc. CSOs should coordinate their protocols with internal staff who work within these physical vulnerability points, as well as the digital service providers, like data center hosts and government agencies.
The warshipping issue also brings to light another significant issue: the lack of understanding and cooperation between CSOs, who are generally responsible for physical security, and CISOs, those who lead efforts to protect company information systems. As phygital attacks bridge the gap between physical and digital threats, CSOs and CISOs need to work together to protect companies from this growing threat that emnates from both the digital and physical realms.
As cyberthreats increase, companies will need to expand their focus beyond purely digital protection and invest in tools that take the physical side of threats seriously. You can implement as much as software as you can afford against spyware, malware, ransomware, and whatever other ware is out there lurking in the cybersphere, but your efforts are incomplete if you don’t also think about and work to counteract phygital threats, which can easily bypass all of these countermeasures.
For phygital threats, there are various solutions that CSOs need to be aware of to ensure that organizations have a standardized approach to address these vulnerabilities:
- 4D scanning devices to check mailroom deliveries
- Personnel scanners for employees and visitors
- Network security systems to monitor for physical intruders
- Security devices for physical ports, such as USB and ethernet connections
Some of these solutions may seem either obvious or excessive, but the growing ease of phygital attacks requires covering all possible points of entry.
Extra layers of security will no doubt be a nuisance for employees and visitors, so properly educating everyone on the threats of warshipping must be part of any security protocol. CSOs and CISOs must work with all stakeholders to help them understand the vulnerabilities and accept any security measures as the price we all need to pay to enjoy the new hybrid work model and protect companies against the ever-increasing threat of cyberattacks.