Policies, procedures, malware, firewalls, cipher locks, etc.  Now I’ve got to be Tippi Hedren too?

July 10th, 2017 by Sean Smith, CISSP

“If paparazzi armed with telephoto lenses have long been the scourge of the rich and famous; civilian drones are fast becoming the new menace to the ordinary man on the street.” – Alex Morritt, Impromptu Scribe.

Just when you think you have a handle on the ways there are to attack your business, something new pops up unexpectedly. This past week it was a civilian drone.

 

For almost an hour, a drone was spotted conducting surveillance through the windows of our offices on the sixth floor, along with our neighbors above and below us. We had no idea who was controlling the drone or what their intentions were. We had just expanded into that office and no white boards were up yet or any monitors visible from the windows; so, we did not have a security breach. Our employees alerted the appropriate department and quickly closed their blinds. We got lucky.

Drones are now a way of life. The technology is affordable for the home enthusiast to own and operate. The Federal Aviation Administration (FAA), and every state, has laws that govern the operation of Unmanned Aircraft System (UAS), the legal term for a drone. Every state has different drone privacy laws governing when/where videos and pictures can be taken and how those images can be used. I recommend that you become familiar with the laws of your state and locality. You must be aware of the rules. Calling the local police department on a drone issue provides you the opportunity to educate the local police officers on the drone usage and privacy laws. With this incident, our local police officer had to contact the city attorney to determine what was and was not acceptable.

As any competent, security trained professional will explain, a defense in depth strategy is required for physical security of your business structures. Money is spent adding layers including some form(s) of lighting, security cameras, gates/fences, walls, perimeter intrusion systems, access cards, alarm systems, balustrades, signage, cipher locks, security guards, etc. as part of that defense in depth.

You must now add window treatments to the physical security list. Because a drone can bypass every one of the measures above, and transmit video or pictures directly from your windows to places up to four kilometers away or farther.

Non-security trained personnel only understand cyber security as including the electronic, or Information Technology (IT) systems, not physical or administrative security needs. Long Term Post-Acute (LTPAC) clinicians roam from facility to facility, and the physical security of those facilities can vary greatly. LTPAC personnel see different types of physical security layers during those travels, for better or worse. The LTPAC Medical Group office needs to utilize a depth defense strategy to place layers between outside threats and the important, protected data that a company maintains. Your Risk Assessment process must include physical security review.

Our drone story has a somewhat happy ending. The property management company hired the drone operator to conduct a site survey on the buildings, which included a detailed survey on the windows. Education was provided to the property management company on proper North Carolina drone usage and privacy rules. In the future, alerts will be provided to the businesses in those buildings so they can ensure their blinds are closed to prevent unauthorized surveillance through the windows. Finally, we are reviewing the specific footage from the drone flight pertinent to our office as a secondary audit.

“When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else. “– David Brin.

**And I apologize to those who are not aware to The Birds reference in the title.  A quick internet search will provide the needed background on Tippi Hedren…

Sean Smith, CISSP

About Sean Smith, CISSP

Sean E. Smith, a Senior Security and Compliance Engineer with GPM, has over 32 years of experience in information security, cybersecurity, HIPAA Privacy and Security, operational security, enterprise infrastructure and operations. At GPM, he has been responsible for infrastructure planning, installation, deployment, operations, change management and security. Also, he is responsible for the creation and operation of HIPAA Compliance, Risk Assessment, SOC Level 1 Type 2 programs which passed external auditing with No Exceptions. Prior to joining GPM, he also worked in and or founded several IT Consulting firms with a focus on small medical groups. Additionally, spent four plus years as a VP at Bank of America involved in Enterprise Architecture planning, application management and business IT integrations. Finally, he also has an intelligence background. He spent eight years in the US Navy as a Cryptologist deployed to Fast Attack submarines. Quite a ride.

We're ready to help you. Contact us today by phone at (828) 348-2888, or get in touch via our contact form.