Infosec 2010: Physical and technical security must work together

Organisations need to ensure that physical and technical security procedures work together to ensure the best possible defence against potential data breaches, according to a panel of industry experts at Infosec 2010.

Carl Froggert, global engineering lead at financial firm Citi, argued that converged threats mean that security has to be considered in a wider context.

"IT and physical security need to work together, otherwise it is not a sensible model for security. If they are viewed as separate silos, there will be gaps in the system that can be exploited," he said.

John Walker, visiting professor of technology at the School of Computing and Informatics at Nottingham Trent University, said it is vital that companies use technology that is fit for purpose.

"Lots of organisations have systems they never use, or leave technologies installed once they cease to be useful. It's important to only make sure you use the technology you need, and that what you do purchase is of genuine benefit," he said.

Walker added that firms need to constantly train and retrain IT staff to use the technology correctly, and to make them aware of new and existing threats.

James Gay, chief information security officer at currency exchange firm Travelex, suggested that IT staff need to "step to the darkside" in order to consider the potential risks their organisation faces internally and externally.

"You need to consider all the possible ways someone could access your data, both physically and remotely, and protect against these threats to ensure your systems are not usurped. An open culture of sharing information is also important," he said.

Gay added that organisations need to get the basics right too, such as making sure staff use secure passwords and are taught ways of remembering these passwords beyond writing them out and leaving them next to their desktop device.

The importance of protecting against data breaches was underlined by the deputy commissioner of the Information Commissioner's Office, David Smith, after he claimed that the reporting of data breaches is likely to become mandatory.