On-Demand Webcast: Cyber Action Plan--Physical Security

June 17, 2020

EisnerAmper and Panasonic discussed the importance of video surveillance and access control to office buildings. We also discussed how physical security is an important part of a layered security approach, especially with the future use of masks, gloves, group congregations and different working schedules.


Transcript

Rahul Mahna:Good morning to all of our West Coast friends and good afternoon to all of our East Coast friends. This is the fourth part of our series. We developed this series as a way to give all of you a good understanding of what we think are the four major buckets of security. Today we're on our last bucket, and I'm really excited about this one. We planned it out well in advance, before COVID, and now being in COVID and trying to return to the office, I think this last segment that we're on right now is really going to be important to today, to you, to your offices, to your businesses. And this is a physical security segment that we're going to work on. We're really lucky to have someone from a leading security company, Panasonic, and we have Glenn with us. So Glenn, thanks for taking the time and informing us about some of the good things happening in security.

Glenn Adair:Thank you.

Rahul Mahna:To start with, and I'll tell a funny little story, we're planning this out as a team. We put up physical security as one of our capstone ideas, and one of the folks on our team said, "Hey, I've got a lot of experience in physical security." And I said, "Really?" He says, "Yeah, I used to be a bouncer at a club, and I really know how to handle physical security." And I said, "Well, hold on a second. That's not the physical security that we were talking about. We had a little bit different ideas." So with that, Glenn, maybe that's a nice, easy way for you to give us some exposure as to what do you and I think about as physical security?

Glenn Adair:No, it's a funny story. And it's a valid story, because certainly, physical protection of your assets is part of physical security. So certainly, guards and bouncers are a part of that. But when I think of physical security, it's providing access control and physical protection. But in my bias, I tend to concern myself of how can we use electronic security systems and electronics and technology to provide that physical security layer? So while the bouncers and security officers are a part of that, it's not what I think of when I think of physical security.

Rahul Mahna:Yep, I agree. And it's just a term, I think, we've used to really encapsulate using cameras, how do we protect our buildings? And as being part of that capstone series, this really was a way to talk about that. In our first few pieces, we talked about the computer, we talked about the network, we talked about going to the cloud, but this really is important to talk about, how do you protect your building, especially with COVID now? And I know we're going to chat a lot about that, coming up.

As a quick aside, if anybody has questions as we go along, Lexi mentioned it, but there's a QA widget. We're going to try to answer as many questions as we can towards the end, and of course, we will follow up individually, if we don't get to your questions, to help out. So as part of the capstone series, we want to talk about how we help our clients. What do you think are some of the differences between physical security and cybersecurity? Do you feel like they're one and the same? Do you feel like they're different? How do you view it?

Glenn Adair:Well, they are different, but we have to remember that they both have the same objective. Both of them are designed to protect people, property, and assets, and to manage risk. And we can joke about it and they sound funny, but they're true stories that said, we've had people who put in like recorders to protect their property, they suffer a burglary and the burglars just steal the recorder and take it with them. So physical security and electronic security have the ultimate same goals in protecting people and assets, they just do it differently. But we have to make sure that both of them are working together.

You can't have your electronic assets physically damaged or destroyed, and at the same time, you can't allow your physical security elements to become the gateway for a cyber security attack. You don't want someone to be able to use the convenience of your online alarm system to be able to disable your alarms. I used to joke and say, it's like having your smoke alarm short out and start a fire. It's not what we'd want the system to do. At the first, it has to protect us. And now that all of these elements are going on in the network, cyber security and physical security have to be thought of together.

Rahul Mahna:Yeah. I totally agree with that. As an example, we had a client that was really very focused on their cyber security that had a really strong program in place, and they hired a third party company to do a penetration test, if you may. And many of us have heard of these things called penetration tests, vulnerability tests. But this was very interesting, where they asked this third party company to come penetrate the network. And they were prepared. They had their firewalls in place, they had their antiviruses in place, they had all the levels of security you would think of.

And you know what the firm did, Glenn, is really smart; they simply just walked in the building and they said, "We're going to penetrate your network, and we're going to do that by just walking in." They sat down on an empty cube, they plugged in the computer and they said, "We're in the office and we can do whatever we want here." So I really strongly believe in this pillar. And with that, what do you think are some of the risks? I think you mentioned a great word in being risks, of not considering both the physical and the cyber together?

Glenn Adair:Well, like I mentioned previously, certainly, your security system. And we love that we can put these security systems on the network. There's a lot of benefits, there's a lot of value added. And we have to be conscious of the fact that they can be a gateway to get to other systems. And you got to be careful. Sometimes an insecure camera or logging into an insecure camera can provide an inadvertent connection to secure parts of your network that can be used to launch denial of service attacks. At the very least, even if you can't do more damage to the network, someone tapping into your video system, they can do counter-surveillance against you.

So now, instead of you being able to protect your property, now criminals can use that information, use your video against you, look at executive commuting patterns and know who's in the office and when, and suddenly they're using your system to provide counter-surveillance, and that enables them to commit physical crimes against you. The four pillars are just that, and I think with any one pillar missing, you run the risk of your collapsing. I like the way you did it. They're buckets, but they really need to work together. We have to take everything together.

Rahul Mahna:Yeah. I completely agree. And going on that and adding to some of your thoughts, a lot of the clients that we talk to, they really are unfamiliar with this bucket. And being an expert in this space, maybe you could just help a little bit, in that, there's two areas in that one example I gave that the penetration firm kind of went through pretty easily. One was the concept of access control and then one is the concept of cameras. And can you talk a little bit about what does access control mean, what does video surveillance cameras mean and how they work together?

Glenn Adair:Yeah. So like, access control, it's self-explanatory, in that it's controlling the access of your physical resources to only authorized personnel. The biggest element of that is actually the human element. We, as humans, are the weakest link in this. We hate to say that, but it's true. And then video security is just that, it's providing a record of what's taking place in the facility or risky areas, but also an opportunity to be proactive and react to things before they get out of hand. The trend lately has been to try to supplement the video systems with analytics, tools and other elements that can provide security officers the opportunity to react proactively instead of just, "Well, something's happened. Let's go to the video and see who did it instead." Part of providing that layer access control, by having the video supplement the access control and creating situational awareness around your physical plan, that helps enhance our access control from that aspect.

Rahul Mahna:I think that's a great approach in the way you explained that. So I think we've given a little bit of background to our attendees today, in that there's physical security is very important, multiple ways you can have physical security access control, and in simple terms, that's the way you actually open your door. Sometimes you might have a fob key, you might have a different means to get in, and then cameras that are taking a recording of that, as you mentioned. So that gets us a little bit of background. Now, I think I kind of look at that as the past. Now, with the new norm of COVID and moving forward, we talked a lot of real estate folks. Through our firm, we have a strong real estate presence. A lot of clients have different types of buildings; commercials, multifamily, residentials. Give us a little bit of your thoughts around how COVID-19 has impacted just the concept of physical security.

Glenn Adair:Well, probably the biggest thing is, the biggest impact that COVID has had on physical security is the change in, and I'm going to call it the traffic patterns, or be the behavior of people around our physical plants. A lot of places that used to have high occupancy, a lot of people, and people are part of the security thing. Now there may maybe people working in offices relatively alone, or in small groups, they're socially distancing themselves, and they may not be as cognizant of who's around them and what's happening. So there's concern about providing additional monitoring and remote support for people who are working, our critical workers, or central workers who have to be at work.

Again, I'm mostly interested in electronic security, but we've also seen that there's been some increase in physical officers to supplement or monitor facilities that are left vacant during the crisis. And then there's been a little bit of interest in using existing technologies to help enforce compliance with social distancing and other health guidelines. So those are kind of the big major things. And there's been other little things. Obviously, there's increased anxiety, so that's been driving up the desire for physical security. But generally, those are the three things: monitoring places that will be unoccupied or under-occupied, and then increasing protection of workers who essentially need to be there, and then trying to ensure compliance with social distancing guidelines.

Rahul Mahna:I agree. And we're getting a lot of inquiries, to my team in particular, from clients asking, how do they effectuate some of these social distancing policies, how do they effectuate proper security coming into the building, compliance? In my seat, I get a lot of vendors talking to me and emailing me and asking me to promote some of these technologies. But I would love to know, from your perspective, being a electronic security expert, like, what are some of the solutions you see being promoted by vendors out there?

Glenn Adair: Well, there's a couple. They fall into a couple of categories. The highest interest seems to be on monitoring of I'm going to say temperatures. So the industry has long had thermal imaging cameras available for a long time. Caution needs to be taken. They were actually never designed to measure fevers or infections in people, but certainly, we see a lot of people promoting that. But in addition, we've always had analytics that can look for intruders in areas. In other words, the camera itself can replace your physical security officer by monitoring unattended areas. They can look for people who are going the wrong way in entrances, going in exits when they should not be, looking for people where there shouldn't be people, looking for people who are loitering where people shouldn't be loitering. These analytics always existed for physical security purposes, but now they can help us to respond to the additional concerns in the COVID environment.

Rahul Mahna: hat makes a lot of sense. And you're talking about some of the existing technologies that are there. I've also felt and seen, there seems to be a land grab. Everybody is trying to adapt whatever technology they might have today to become "COVID". You've got great software providers out there that are CRM tools that are certainly becoming COVID tools, and it's kind of interesting for me to see that. Can you kind of give, from your seat and your perspective as an expert, some examples of how these existing technologies in your world are evolving to become more COVID related?

Glenn Adair:Yeah. And we've done the same thing, and every vendor has done the same thing. We've looked at our existing suite of tools and resources, and we asked ourselves, "Can this be modified or adapted in short time to help us address the new concerns of COVID?" Like for example, we've always had this retail analytic, and unfortunately, we've always called it a heat map. And what it does is it doesn't detect heat. So people hear the term heat map, and they think that, "Oh, that's a fever monitor." We say, no, absolutely not. But what it does do is it allows us to see the volume of people transiting a certain location.

So for example where there is a high amount of density of people congregating, it might be red, and where there's a low density of people, it may be blue. And because of just the way it displays those, it's been named heat map. But it has nothing to do with measuring heat. However, we recognize now that when we're looking to monitor areas where we want to know if there's a density, we can set a threshold in that analytic that say, "Hey, if we see this number of people in a given area, we want an alert." That is something that can be adapted. It was never meant to be a solution for COVID, but nonetheless, it's an existing technology that we can leverage to help us address a new concern.

But you'll be careful, because a lot of people are just slapping COVID-19 labels on their existing product. There's nothing wrong with that, we're doing it too, but you just want to ask the honest question, what is the analytic really telling me? Is this helpful? And the answer is yes or no. And then as we mentioned, does it fit my operational plan? Is this consistent with what I'm trying to do to maintain physical security at my plant?

Rahul Mahna:So Glenn, you're right, we all are kind of data-driven in whatever businesses we have and operate in. So in regards to this analytic you're talking about, are these effective? Is it real? Like, how accurate are these analytics that you're mentioning?

Glenn Adair:Yeah, it's a good question. And I can certainly get on my soap box about analytics, and I think the reasonable thing is, any analytic that anyone presents to you, whether it's another vendor or whether it's us, by all means, it's fair to ask, what does the analytic really detect? And then you got to ask yourself, is this analytic going to help me? And a great example is, a lot of people like to talk about the object left behind, like an object left behind analytic. Somebody puts an object down on the ground and they walk away from it and you get an alert. And the way that's always pitched for example is, well, someone could have just left the bomb. It's a very compelling argument, It's a very emotional argument, and people latch onto this analytic and then they deploy it everywhere, and it doesn't take them long to realize that you know what? People are always putting things down and none of them have been bombs, thank goodness.

That doesn't mean the analytic has failed you, it doesn't mean the analytic is bad. It just means we didn't understand what it was really telling us. Loitering, I think, is a great analytic that can have both really positive and really valueless deployment. If I deploy my loitering in an area where there should be no people whatsoever, or people walk by, but I really want to know if people are congregating there, loitering can be a really, really effective analytic. Cross line detection. If there's a line that people shouldn't cross, that can be a really, really effective analytic. Wrong way detection; people moving the wrong way, whether it's cars or people or whatever.

Glenn Adair:All too often, criminal elements will use an unguarded exit as a means of getting into a facility. The wrong way analytic can absolutely help you in that case. So it's fair to ask the question, what is the analytic really going to alert on? And is there innocent behavior that the analytic will interpret as malicious behavior? And if so, maybe that's not a good application for the analytic.

Rahul Mahna:That's a really good point. And being a data person myself, I think about these things. And if I bring back, it's kind of funny, you were talking about some nefarious activities, and again, it's everybody trying to repurpose for COVID. So if I think about COVID and where we are today, some of those concepts are the same. Offices want to know, are employees aggregating "loitering"? You mentioned traffic movement. Again, they want to know policies of, are people walking in the hallways a certain direction or another direction, and the density of those.

So the one area that I'm a little concerned about, you mentioned earlier, is everybody wants to know temperatures before you get to the office. It seems to be in the top five checklists that a lot of organizations are asking their employees before they are going to be coming back to the office. And I have been getting a lot of inquiries from folks that are selling devices, and their cameras, usually, that say that you can just have your employees come and look at our camera, and it's going to tell you their temperature.

And of course, if this is something that's a trigger to allowing you to go to work or not, it's pretty important, and it's a very important analytic. So all of this is to ask you, if we're a little skeptical of analytics, if we are all repurposing technologies, and temperature is a very important thing to come to work, how effective is the thermal imaging to detect these elevated temperatures that people have?

Glenn Adair:I, myself, too, to be honest. And we have to remember what the original purpose was. Thermal imaging always started out as the ability to detect intruders in total darkness. That was the origin of the technology, and it started out in black and white. It quickly went to color, where now we can have color tell us the different temperatures. And there was a lot of industrial applications, where we can monitor the temperature, relative temperatures of machinery and equipment. They started to use it to detect leaks of steam and other things from industrial plants. It evolved into firefighting, where firefighters can certainly use it to look for suspicious hotspots that need to be further investigated. It's been used in home design to monitor the effectiveness of insulation, to look for hotspots where heat may be escaping your house.

So thermal imaging is a well-established technology. So it certainly has potential to assist us in monitoring the relative temperatures of people, it's just that the science is a little sketchy, is how much skin temperature relates to body temperature? There's things that can impact the external temperature of a skin. Someone could be flush because they were sunburned, someone could be cool, running a fever but cool, because they just came in from the outside. And not all thermal imaging cameras are created equal. Some don't necessarily report absolute temperature. They need to be calibrated. They may need to be calibrated every day. And some may only tell you, well, this person's skin is warmer than this person's skin, but it doesn't necessarily conclude that one's running a fever and one isn't.

And we certainly don't have time to get into it here. I think we need really, really cautious when it comes to thermal imaging, and we need to dig deeper, and especially now that the FDA has kind of loosened the rules a little bit. Because normally, anything that's claimed to measure body temperature is considered a medical device, and really, only kind of like invasive thermometers really do that. Like, well, ear thermometers and temporal thermometers, and you don't want to be doing that for every single employee. So at the best, it's a screaming device.

Rahul Mahna:Yep. Yep. I feel the same way. And if I can tick and tie that to two other requirements that I'm often seeing from our clients, which are, trying to enforce that employees are wearing face masks, and how they're doing it, maybe connecting the face recognition to access control, meaning letting them contactlessly open a door, so they don't have to touch a door and it just recognizes their face. What is your thoughts on these emerging technologies that are coming out that are going to allow you to see through a face mask, identify, recognize if the face mask is on or off, identify the face, have that relate to a database that can auto-open up a door itself. What's your thoughts on all that?

Glenn Adair:The facial recognition is interesting. We've had a facial recognition solution for over five years, and in probably the last three of that, it's always had ability to recognize a face, whether that person was wearing a face mask or not. It doesn't necessarily track that the person's wearing a face, we're looking to see if we can modify it. So that technology has always existed. And then now, of course, we're talking about contactless access control. I'm a little reluctant to rely solely on face as an access control in and of itself, but certainly it can be used for a two-factor-authentication. In other words, that I can approach a facial recognition camera, I can hold my fob follow up. I don't have to necessarily touch anything, but I could hold my fob up and if the two match, then it will grant me access.

And the reason we're seeing interest in that as is obvious, people want it. They want contactless entry. They don't want people touching keypads or anything like that. And I don't think that's necessarily a requirement, unless you're looking for two-factor authentication. You want to swipe your badge and then enter a key. And we won't want people touching keypads, so they're looking for the face to be maybe possibly the second part of that two-factor authentication, so they can not rely on, or not have to depend on the keypad to be that second level of authentication.

That exists today. At least we have it, I'm sure others have it. And then compliance about wearing a mask, automatically detect if someone's wearing a mask or not. But I think sooner or later, someone's going to just spot somebody anyway. Someone can approach the analytic, say they're wearing a mask, the analytic lets them in, then they could take it off. So like I said, we have to rely on people to comply with this. The technology is just there to help us.

Rahul Mahna:Makes sense. And as we're getting short on time here, I just want to like, think about one other topic. So we're all thinking about how to return the office better, how to be more secure in your facial recognition, mask recognition, temperature recognition, traffic patterns within an office, not letting people aggregate too much in one area, and many other things, to try to make a more comfortable return to the office. We're going to put a lot of systems in place. Being part of teams that are doing software, that are doing app development, that are doing camera development to allow a business to have a lot of these features and functionalities, one thought that kind of strikes me is, what's going to happen? Hopefully, all of this ends in a short period of time. Are all these technologies going to be just obsolete? All this investment and thought that's going into right now, can this be reused in the future? What's your thoughts on that?

Glenn Adair:It seems like it's never going to end, but we know sooner or later, it's going to end. And when it does, they said, "Is this technology going to help us in other ways?" And the answer is, most of it can be repurposed for other things. Some of this is going to be permanent behavior change. Like, we were looking at intruder detection, or occupancy detection. Those analytics can add value long after this crisis has over. The facial recognition, two-factor authentication. Certainly, it could be an opportunity for people who were considering it, but maybe weren't convinced it was the right way to go, and maybe now with COVID, they decide that, yeah, we do want to implement it. That technology will be able to remain as a two-factor authentication long after this crisis is over.

And it works both ways. It not only recognizes people who shouldn't be in your facility, it can recognize people who should be in your facility. So the technology can be used alternatively. Maybe after we're done, you can say, "Well, now we want to use it to look for people who don't belong in the facility instead of people who do belong in the facility." We asked those questions when we were evaluating the technology. After this is over, what else can I do with it? Or what else can I do it now while the crisis is going on? Because the more we can leverage what we have and use it, the more effective it's going to be at making our operations better.

Rahul Mahna:I couldn't agree more in that thinking. So as we're approaching our time, and it goes always so fast when chatting with experts like yourself, if I could just ask you, in maybe one minute or so is, being someone in the industry for a very long time, you're with a very strong brand, you're involved with a lot of different vendors and applications and integrations, where do you see the future, if I could ask you, in regards to security?

Glenn Adair:Well, with electronic security, the trend is definitely towards more and more analytics. So that's what we're saying. Whether it's now or in the future, the more we can have the camera look at and analyze video and bring interesting behavior to our attention, the better it's going to be. Because what we've seen over the last couple of years, the trend has been is that everybody's deploying cameras. There's exponential growth in the cameras, but there hasn't been exponential growth in security officer's watching it. So we're relying on analytics, and the list is endless, to look at the video and highlight to the security officer, "Hey, of all the videos, you should look at this one, because this looks suspicious to me, the computer." But the human element's always going to be there. At the end of the day, the human has to make the final decision. "Is this something I need to react to, or is this innocent behavior?" And that's definitely what I see in the future. And we're seeing some of those analytics now, it's just going to get an explosion of analytics.

Rahul Mahna:Yep. I agree. And thank you again for all your thoughts and your expertise. This has been the end of a wonderful four-part series. I couldn't have ended it better than having you here and talking about physical security. So thank you everyone for joining, and look forward to future series. 

About Rahul Mahna

Rahul Mahna is the Managing Director of Managed Security Services within EisnerAmper’s Process, Risk and Technology Solutions (PRTS), with extensive experience in information technology and cybersecurity solutions to our clients.