In early 2024, an employee of a Hong Kong company was on a video call with the CFO and a few colleagues when the CFO instructed him to transfer $25.6 million USD to various bank accounts. Following orders, the employee initiated the transfers, only to learn that the CFO and co-workers were deepfakes.
While this was one of the biggest deepfake stories to emerge in recent years, there have been plenty of other cases in which individuals were tricked into transferring funds, sharing passwords, or offering personal information to bad actors posing as colleagues, employers, friends, or family members.
AI and deepfake technology are developing at lightspeed and companies are scrambling to keep up with the rapidly expanding threat landscape. Until recently, security teams were focused on the threats they couldn’t see. Now, they’re questioning what they can see as well.
As technology advances and people, devices, and networks become more advanced and intertwined, it’s vital that security teams review their strategies to ensure they adequately protect against, not only the latest cyber threats, but physical attacks as well.
Security best practices have seen some big shifts in the past few decades. Bodyguards were once positioned at building entryways to protect file cabinets filled with sensitive information. As data became digitized, security measures moved from securing building perimeters to digital perimeters, keeping bad actors out. Then, with the shift to the cloud and mobile applications, data became more isolated, and security strategies became even more complex.
Today, security teams, investors, and executives need to take a more holistic view of their security posture, ensuring strategies protect the business and its data at every point where systems, software, people, physical assets, and facilities interact. Because any gap in physical security can lead to a digital breach and vice versa.
Without the right tools in place, someone tailgating into your office or warehouse has access to servers, IoT devices, computers, and phones. Even more concerning, a stolen laptop or swiped phone gives them access to your systems and data. Beyond that, some third-party contractors or vendors also pose a risk if strict access restrictions and guidelines aren’t in place, especially if they perform site visits or can reach your IoT devices.
Regardless of whether you have IoT devices and on-premises servers or a fully remote workforce, any physical device connected to your digital environment is an access point and a threat, and your security strategy must address it.
Much like digital security, physical security is no longer about protecting a single entry point. It is a complex web of endpoints that are tied to your systems, your data, and your people. While the doors and windows to your physical spaces should, of course, be protected, there are a few other key points of failure that security teams need to consider and secure when building a physical security strategy.
If someone is trying to enter your organization’s environment — whether that is physical or digital — you need protocols in place to keep unwanted visitors out and keep authorized visitors only in the spaces they should have access to. Too often, identity verification falls short, allowing bad actors to enter areas where they shouldn’t be.
Shared badges or badges of ex-employees that haven’t been deactivated can lead to unauthorized access to physical spaces, which poses a danger to your data, equipment, and employees. The same is true when padlocks or door codes aren’t changed after layoffs. Even if buildings have a security guard or secretary checking visitors in, it’s vital to have an escalation procedure in place for an unscheduled visitor who claims to have an appointment or needs access to your space.
Physical and cybersecurity go hand in hand, and both must play a part in any security strategy. Without MFA, a stolen device gives hackers access to your VPN, cloud drives, and SaaS tools. Likewise, if a bad actor swipes a device or accesses one on site, they will be able to move laterally through your digital environment and access potentially damaging information if you don’t have role-based access controls in place.
Limiting privileged accounts is especially important with third-party contractors and vendors. Companies need tools to monitor and limit access for third parties to ensure they — or someone who hacked their systems — aren’t entering through an authorized space and moving laterally to an area that houses sensitive information.
Most employees are fairly adept at spotting a traditional phishing email. But spotting a scam becomes more challenging when on a video or phone call with someone who looks and sounds like your boss or colleague. Hackers are using the same social engineering tactics they’ve had success with before, preying on human vulnerability, but they’ve become much more convincing (re: the employee who wired $25M to a hacker he believed was his CFO).
Deepfake and AI threats can include, but are certainly not limited to:
All of these threats involve crossover between digital and physical spaces, so only security strategies that address both can result in true cyber resilience.
Many buildings and facilities are utilizing smart devices that run the gamut from thermostats to printers to industrial manufacturing equipment to conference room cameras. These physical IoT devices are entry points to your network and can be exploited like any other endpoint.
In fact, in late 2024, it was discovered that a group of state-sponsored hackers from China infiltrated United States telecommunications companies to conduct espionage on a massive scale. Part of the attack relied on hundreds of compromised IoT devices, which were used to create a botnet to carry out attacks.
While hackers can use physical facilities and assets to enter digital systems, the reverse is also true. By hacking into digital systems connected to your physical space, bad actors can effectively shut down your business and hold it for ransom.
Last year, MGM Resorts agreed to a $45 million class action settlement for massive data breaches in both 2019 and 2023. After a successful vishing attack gave hackers access to employee accounts, the hackers were able to move laterally through MGM systems, stealing data, deploying ransomware, and disrupting hotel services, including the use of digital keys and slot machines.
Likewise, a 2025 attack on Jaguar Land Rover shut down UK production facilities for over a month, resulting in the loss of more than $250 million for the company.
Because the physical and digital worlds are so closely tied together, your security strategy should address both. Converged security is the practice of creating one cohesive security strategy that encompasses both cybersecurity and physical security initiatives. It involves looking at your entire ecosystem to find gaps between the physical and digital environments and closing those as quickly as possible.
A converged security strategy calls for visibility into your entire digital network and physical footprint, as well as security controls that prohibit unauthorized access and movement. Teams should closely monitor all people, devices, networks, and physical spaces for signs of unexpected activity or security breaches.
In addition to security controls, organizations need incident response and recovery plans for bad actors who successfully break into physical or digital spaces. Security personnel need a plan of action that includes whom to alert if a suspected breach occurs and clear guidance for how to remove the unwanted person.
This converged security strategy should involve both IT and physical security teams. Both must work together to prevent or limit a breach. For instance, if a physical breach occurs, security teams should alert IT immediately to begin searching for unusual movement in the digital environment. IT teams, on the other hand, should treat all facility IoT devices like endpoints, assigning security teams to monitor activity, segment and secure systems, and patch IoT software as needed.
For companies looking to build up their security posture, the NIST Cybersecurity Framework emphasizes governance, risk management, and resilience-oriented outcomes. Additionally, it offers practical guidelines for protecting against physical, digital, or combination attacks. It’s also flexible and customizable for various industries, making it an excellent starting point for businesses looking to become cyber resilient.
If the NIST framework is overwhelming, here are a few quick things businesses can do in Q1 to improve their security posture.
While this checklist provides a great start, a converged security plan should be extensive and evolve over time. More than just implementing a few action items, a true converged security program calls for a cohesive, cross-departmental strategy that includes an investment in training, tools, processes, and, likely, third-party security partners.
SolCyber helps teams build real-world resilience and facilitate the integration between cyber and physical risk. Reach out to the experts today to learn how SolCyber can help you.
Image by ElasticComputeFarm from Pixabay
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
