John Root
Head of Cyber Security
Mishcon de Reya
Welcome to everybody this is our third digital fortress digital session of 2024. We are here to provide some tips and based on feel experiences across cyber risk and I’ve got a few housekeeping things just to go through so I’ll do that now. If you’ve got questions, please put them in the Q&A function down at the bottom. If we don’t address them through the course of this webinar then we’ll address them at the end. If you’ve got technical difficulties, you can put them in the chat function and if you want to contact, speak to us directly then you click on the resources tab down below and you will be taken to their bio’s and contact details. There will be a recording that will go out to everybody that has signed up with contact details. Okay, so into today’s session we’ll delve into the convergence of cyber security and physical security and this has been driven by an increased interconnectivity of security, the complex threat landscape and a regulatory pressure that are facing us. There’s also an overwhelming desire across tech and of business to optimise resources. We’ll explore how this integration of these two traditionally separated domains is happening and the implications on all of us so we look forward to an informative and engaging session. Okay so I should start with an introduction of myself, so I am John Root, I’m Head of Cyber Security at Mishcon working with and supported by the wide cyber risk and complex investigations team and I rely heavily on, on the expertise from a dynamic duo such as Kizzy and Francis, Francisco, apologies. Francisco why don’t you go first.
Francisco Sanches
Cyber Risk Director, Mishcon de Reya
Sure, my name is Francisco Sanches and I’m the Cyber Risk Director within Mishcon Cyber Risk and Complex Investigations Team.
John Root
Head of Cyber Security
Mishcon de Reya
And Kizzy, do you want to introduce yourself.
Kizzy Augustin
Health & Safety, Mishcon de Reya
Yes thanks John. So I am Kizzy Augustin, I head up our Health and Safety practice here at Mishcon. I split my time between advisory and reactive work generally advising companies and individuals on the physical and perhaps not so physical make-up of health and safety and regulatory law and I know lots about regulatory pressures so no doubt we’ll talk about that today.
John Root
Head of Cyber Security
Mishcon de Reya
Okay well we’ll start with the first topic obviously. So as security needs evolve, integration of security, physical and cyber is becoming more apparent. We’ve got a blurring of lines between these two, between digital assets and physical assets and organisations must adapt and we must span both of these areas. Given this context, are the roles truly coming together? Are the professions truly coming together? Francisco what’s your take on this?
Francisco Sanches
Cyber Risk Director, Mishcon de Reya
Sure so we’re discussing about if the physical security and the cyber security professions are truly coming together, well in a short answer, yes. So the physical security and the cyber security profession are increasingly coming together because organisations recognise there is a need for a more integrated approach to security and I would list that potentially the main factors that contribute to these conversions are you know, a blurring of boundaries because of the prevalence of internet of things and operational technology devices this essentially means that the attack surface has rapidly expanded as these systems connect to digital and the physical domains. Another one would be the shared threats so what I mean by that is that both physical and cyber threats can impact an organisation’s overall security posture and that means they need a coordinated prevention and reaction to those common shared threats. Another factor would be risk management approaches. More and more organisations are looking or moving towards holistic risk management strategies that would consider all aspects of security and these tend to be separated across different silos and organisations are looking to ways of merging them to provide better and more holistic approaches to it as I mentioned. The other aspect is more and more cross training and collaborations, initiatives, they want to ensure that both the physical security personnel understand the cyber security principles and vice versa so they are doing them in collaboration. From the cyber security space in particular just think about the very well-known Red Team maker exercises that involve a lot of trying to breach the cyber security of whatever organisation they are testing to get to the cyber security space of that organisation or a way of avoiding that space that completely merges those two aspects really well and then last but not least, we have the Regulatory compliance in the new law so we have new regulations and legal requirements that increasingly emphasize on the need for an organisation to protect both the physical and the digital assets and I think Kizzy is probably better placed to comment on this. Kizzy?
Kizzy Augustin
Health & Safety, Mishcon de Reya
Well I mean I can certainly add my two pence in terms of the, the merger or intersectionality between safety and security and I think what we’ve seen in recent years is there is an ongoing relationship between safety and security needless to say when you look at physical security and, and cyber that’s also evolved as well. I think what we are seeing is weaknesses in security generally create increased risks for businesses which in turn will create almost a decrease in the safety element that you are able to manage and promote so as a result we are seeing safety as a concept and security as a concept directly proportional to each other but in some way they’re inversely proportional to risk and the demonstration of that, I say kind of the actual demonstration of that has been a couple of bits of legislation that have developed over the last couple of years, perfect example, Building Safety Act which was created as a result of a kind of outcry to, to the Grenfell Tower fire and it created a lot of, I’d say, onerous responsibilities on the colloquial duty holder and alongside that came the duty to ensure that you had a risk assessment process which is generally done electronically for various reasons and information being stored about the lifecycle of a building and the measures and mitigation that is being implemented in respect of the safety of relevant buildings and maybe even more directly relevant is the introduction hopefully, anticipated introduction of Martin’s Law which you know for us in the safety world is, is now talking about physical security risk and counter terrorism and the Bill that’s going through Parliament at the moment is Terrorism Protection of Premises Bill which is all about the physical safety of staff, occupants and the pubic and again that’s in response to the Manchester bombing and looking at what can be done to deal with physical security and how the information about your processes and management of risk is done and generally it’s being done electronically now.
John Root
Head of Cyber Security
Mishcon de Reya
Thank you, well it sounds like a converged and coordinated approach is absolutely essentially. You mention, you mention new laws coming in so you know, I’ll start by saying co-pilot told me okay, so the evolution of health and safety responsibilities apparently began back with the Factories Act in 1833 and then you know, laws have developed and 1974 the next and then 1992, then again in 20… 2002 and then Covid hit and you know that highlighted the importance of public health measures and being prepared. So you mentioned recent changes that are kind of expanding the scope and increasing the responsibilities of health and safety roles incorporating environmental protection and sustainability amongst others so what’s your view on the role of the mega health and safety role that, I mean I saw there was a director of environment, health, safety, security and sustainability role or it was described as EHSSS sss, oh I can’t count the number of S’s so Kizzy what’s your take?
Kizzy Augustin
Health & Safety, Mishcon de Reya
It’s, it’s a real thing. John it’s a real thing. So I mean the idea of the development of health and safety and I hope that maybe the cyber world can take some, some comfort or at least reassurance on the direction of travel that we’ve certainly taken hopefully not from 1833 but there’s been a lot of development in recent years in terms of what we call duty holders but essentially it’s those professionals that are the ones that are tasked with the operational side of managing risk so we laugh about the acronyms or the kind of titles that are being given to, to directors or managers responsible for safety and security but it’s a real thing and I remember a couple of years ago we held a conference in Berlin and all we were talking about was straight health and safety and all anyone else wanted to talk about was ESG and sustainability and security and they said the reason they wanted to talk about those risks was because their, their job titles were changing and it was all because these new risks were arising and the businesses wanted instead to bring in experts outside but they wanted their existing safety professionals to take on board those roles because they already had an appreciation of what good risk mitigation looked like so you are getting these directors and managers who are being given the title environment, health, safety, security, quality assurance, sustainability…sssss but you know this is a real practical issue for individuals. I don’t know how any professional without the necessary support and often they don’t have necessary support because of time and resource or lack of, time and resource how do they actually fulfil their role and therefore if they can’t fulfil their role they’re really at risk of potential not only liability for the organisation and the part that they might play within that but personal liability so while all of these roles are adapting to the development of society and new risk and appreciation of risk, I think we need to start thinking where this might go next and I think there is more development to be had, certainly in health and safety we are seeing an additional role now being thought about, not even just physical cyber security but also what this does from a mental health wellbeing issue and these kind of ideas of non-tangible safety and security. So I think that’s where we are going to see this develop next but at the moment certainly professionals are worried about whether or not they can fulfil their roles suitably.
John Root
Head of Cyber Security
Mishcon de Reya
So it sounds like there’s a lot of different responsibilities there, it sounds like there’s a lot of support that’s really needed. We’ve got as you described, and the real world is not all of the roles are combined and not in all organisations, we have cyber roles, physical security roles, health and safety roles and they all have security aspects in them but are these really the same roles with different languages or, or not. Who would like to start?
Kizzy Augustin
Health & Safety, Mishcon de Reya
I mean this may be more Francisco’s bag but I think for what it’s worth I don’t think there’s a change or roles and I don’t think we’re just getting lots of these different roles working in silos. I do think we are moving towards time where (a) you have got cyber security professionals working alongside health and safety, sustainability, environmental professionals within organisations so there’s much more collaboration and communication which is the key. Very similar risk issues and therefore it makes sense to collaborate but I think what we’re seeing more of is the use of cyber tools as a way of achieving compliance, certainly in my world there’s much more reliance on the internet, on automation, on data and the use of computer related solutions to meet regulatory obligations. So if that’s the case then it makes more sense for these different worlds to come together and actually work together to mitigate risk as a whole. I don’t know what you think Francisco?
Francisco Sanches
Cyber Risk Director, Mishcon de Reya
I agree what you said, I would just add that I think in answers and this already happens but less but a bit more informal so we have a convergence of security functions and what I mean by this what needs to happen from my perspective is that we need to move from this informal collaboration that might already happen in some organisations and effectively establish form collaboration between these previously disjointed security functions so there must be mechanisms in the future areas that they will communicate and work amongst be it sharing information, be it doing conjoint exercises, being joint risk management practices, different areas that need to be thought about what makes sense for each organisation to consider but essentially it needs to move in a more formal way to ensure that that conversion happens among functions and less about making it all into one big role. So I don’t see that happening any time soon.
John Root
Head of Cyber Security
Mishcon de Reya
So, so we’ve mentioned a couple of times the sort of recent changes in the EU and US for leg… on a legal basis. Francisco what’s your take on what’s happening around the world?
Francisco Sanches
Cyber Risk Director, Mishcon de Reya
Sure so, if I look at US and the EU as the leaders typically in this space coming up with new legislations that will drive the rest of the world to then either adopt or come up with, with their own. We see a lot of focus so for instance the US government it was already I believe back in 2022 I think, created a working group dedicated to specifically the cyber physical resilience and that their intention is to find new approaches to this problem and they intend to consult experts from across public, private sectors and academia so they are really trying to bring everyone together and think about how to properly address this area. In the US as well we have the National Cyber Security Strategy and the upcoming Cyber Security and Resilience Bill that will also have impacts on this space. When we move to the European Union and more recently probably on everyone’s mind the NIS2 directive which seeks to boost the cyber and fiscal resilience of the European Union critical entities and networks and they expanded basically the sectors and type of entities that fall under its scope. A different kind of legislation but also with a very interesting impact would be the European Union Cyber Resilience Act that effectively sets out cyber security requirements for a range of hardware and software products placed on the EU market and that includes smart speakers, games and operating systems and it will be very interesting to see the impacts that it will have on how things change.
John Root
Head of Cyber Security
Mishcon de Reya
So Francisco and I start with a cyber security focus. Kizzy, what’s your take on the recent changes and with a different angle on it?
Kizzy Augustin
Health & Safety, Mishcon de Reya
I think without sort of going into lots of detail about the legislation because there has been quite a lot in, in safety and security over the last few years; I’ve already mentioned a couple so building safety, a focus on sort of health and safety and what that is in its widest context and also new legislation such as Martin’s Law, the Terrorism Protection of Premises Bill which is focussed on security issues relation to, to premises and events, it’s all about reducing the likelihood of physical harm in the event of a terrorist attack so again that looks at your security function and making sure that public premises and events are prepared, it’s all about this idea of preparedness and hopefully I can maybe throw in some words that have come out of the new legislation such as Martin’s Law, such as the Online Safety Act, such as the AI Legislation that’s come out. We find that common threads are corporate and individual liability, the introduction of concepts of responsibility, accountability, competence being given some form of a kind of legal definition and what that looks like in our world, it’s people who have the necessary skills, knowledge, experience and also now for the first time introducing culture into, into the, into the, the equation so there’s lots of legislation surrounding safety, security, risk and harm but I think the concepts that we’re seeing running throughout are identifying some level of corporate responsibility but also personal accountability which is some of the things that we’re advising on.
John Root
Head of Cyber Security
Mishcon de Reya
It feels like that’s a constant stream of new legislation. Is that a good thing, a bad thing or you know, what do you think?
Kizzy Augustin
Health & Safety, Mishcon de Reya
Well as a lawyer I’d probably say it’s a good thing but I think as a person and, and putting myself in the shoes of duty holders I think there’s a lot of legislation out there, certainly in the UK. Some may say too much legislation. Some of the problems that we come up against in terms of advising clients is that there’s so much confusion around who does what, when and what piece of legislation applies to our particular building or our particular activities or our function so what do we have to look at. Do we look at legislation, do we look at regulation. How important is guidance. I think in the UK there are really, really good intentions to solve problems and be sort of real fixers here but I think maybe our first port of call should have been and should still be to make better use of the kind of legal tools that we have already. One thing that’s maybe influenced that has been public perception and public pressure. You think about the public response to Grenfell which was absolutely horrific. There was a demand for more legislation. If we then saw the kind of fall-out from the use of data and, and computers and the misuse of computers and the internet then you have you know, the Online Safety Act which took a while to get through and had its own difficulties but again I think public perception and public pressure has paid a part in driving a stream of legislation and new guidance.
Francisco Sanches
Cyber Risk Director, Mishcon de Reya
Yeah, I would add that and picking up on Kizzy’s previous words, the fact that the new legislation focussed on corporate and individual liability and the notion of competence, I think this forces, and that’s positive, organisations to reflect on who is responsible for this within our organisations, are we just giving the label to someone or not, is that person competent to deliver on those areas or not so it’s, it forces the bar on those areas and I see that as a positive one. The negative aspect for me is, as Kizzy is saying, too much, too many things coming from two different sides and then that means that it feels like we need some harmonisation, simplification of how different regulations or different aspects whenever there are overlaps among the different requirements we might have. That means that an organisation might be subject for different regulations and for different regulators for common aspects. It means that a break of one aspect might put you under the scrutiny of multiple regulators or entities in the area and then you have no not only the local aspects but then you have the multi jurisdiction impact when you’re operations are across the world and across different jurisdictions and if they adopt either similar or in sometimes even contradictory approaches to these different areas. That can create quite a complex environment. I always think about the most common analogies the you know, the data privacy, you have GDPR starts with you but then in each region adopted their own regulations, some of them align, others don’t and we need to keep track of all the different requirements across the different jurisdictions and now it feels like security, physical security and health and safety will be facing a similar challenge.
Kizzy Augustin
Health & Safety, Mishcon de Reya
100%.
Francisco Sanches
Cyber Risk Director, Mishcon de Reya
So I think definitely harmonisation simplification would be greatly desirable in the future.
Kizzy Augustin
Health & Safety, Mishcon de Reya
I think just to give, just to give that context the situation we have now in safety and security, excuse me, in terms of the regulators that can have a part to play, we have the Health and Safety Executive, you might have the Environment Agency, Fire Authorities who have their own localised primary authority relationships with businesses, you have Local Authorities who also have a similar approach, Building Safety Regulator and the SRI who are dealing with security risks so I mean there’s a lot of regulators to deal with but not the regimes don’t always overlap.
John Root
Head of Cyber Security
Mishcon de Reya
So, we are running a little bit short on time but I really do not want to get fined or convicted of, of various crimes in various countries. Kizzy, who really needs to do what?
Kizzy Augustin
Health & Safety, Mishcon de Reya
Well that’s a loaded question but I mean the idea of who is a duty holder I think in short are the business owners, the employers, the occupiers of buildings, those that manage and control spaces and activities, or supply offerings, I think those are the people that really need to know whether or not they have a personal responsibility or a part to play as part of the wider corporate. There is a lot of confusion. It doesn’t even matter if you have HSSEQSS in your title, it’s actually what the regulators look at is what you do. So what’s the scope of your, your services and what’s actually expected of you. There’s also this idea that as individuals whether you’re a manager, a director, a consultant and advisor, you also have some corresponding responsibilities and duties to meet so I think it’s almost – the answer to the question is everybody may well have some sort of responsibility or duty that they can play a part in.
John Root
Head of Cyber Security
Mishcon de Reya
So all of these things physical security, cyber security, health and safety and all the rest of them, they all have a risk based approach or, or can follow a risk based approach. What does that mean in reality Francisco?
Francisco Sanches
Cyber Risk Director, Mishcon de Reya
Right so well said. In most organisations we have finite resources being people, money, tools, whatever we can use so we need to figure out where we should be focussing first and apply the finite resources that we have available to us and that’s where a lot of time the risk based approach comes because we need to focus on what’s more relevant in each area and all these different areas eventually will have an approach to risk to figure out where they should be focussing first, what they should be doing and then we just discussed that there’s a bunch of overlaps between all the different disjoint security related functions areas with them perceiving risk slightly different. But those risks also span across the responsibilities of the different areas so I would go back to the converge approach I talked before. I don’t expect them to follow the same risk approach because it’s just not doable or not applicable for most organisations but they need to enable communication across the security function leaders. I think they need to engage with upper management to discuss what conversion of risk approach might look like for each organisation, what does it makes sense for them and one of the key steps we always advise is maybe establish what we call conversion team, identify the key players like cyber security office, the CESO, the one resource fiscal security facility manager, IT, health and safety and get them a forum where they can communicate and start drafting what that looks like so that when risk is then passed on to upper management it’s already, it already brings about the best of each part in a, in a working manner instead of having a conflict of perspectives.
John Root
Head of Cyber Security
Mishcon de Reya
Well before closing and just to bring it home to everyone in the audience, Kizzy, what’s the risk to, to us you know, we joked about, I joked about fines earlier, are they real?
Kizzy Augustin
Health & Safety, Mishcon de Reya
100% are real. Hopefully people on the call will permit me for the next minute or so just to give you the War stories of the reality of, of what things look like in the safety world and how that is transgressing into the security world. Penalties generally for companies and individuals are unlimited fines and imprisonment for some individuals albeit I’ve heard today that the prosecution of individual directors and managers is on the decrease but it’s still a risk and it’s still a real risk so you know, this year we’ve had big prosecutions, last large waste recycling company fined £3 million for a tragic accident in relation to the decommissioning of a gas rig but that was really all around the failure to properly assess risks and that is what lead to inadequate safety measures. A similar example, an NHS hospital last year, again fined I think it was £600,000 for failing to manage the physical safety of staff and patients in relation to patients who were prone to incidents of violence and aggression and that resulted in serious injuries and if you think that individuals escape, they don’t. Because you have very often a company secretary so we had an example a couple of years ago, who was imprisoned for eight months for a breach of health and safety legislation and disqualified from being a director for seven years. All in relation to a failure to ensure that tasks were carried out safely, didn’t provide first aid to an employee, didn’t send them to hospital and neglected in their legal duty to inform the HSE of, of breaches of security and safety and the reason we have all of that is because we have sentencing guidelines in the UK to provide some sort of consistency but a lot of the times for large organisations that have a turnover of about £50 million or more, you are looking at a million pound fines each time there is a breach. So that’s the financial penalty but you have alongside that the reputational risk of having to disclose a health and safety issue or a breach of security issue and the loss of contractual relationships you know, having to disclose these kind of breaches and failures can really damage the relationships that you’ve worked so hard to build.
John Root
Head of Cyber Security
Mishcon de Reya
Thank you. I think we’ve highlighted why this is such an important topic, I think it’s really clear. Just to close as we are out of time, if anyone would like to get in touch with the panellists, as mentioned earlier you can get the bio’s and details in the section below on Zoom and I really appreciate everyone joining.
Kizzy Augustin
Health & Safety, Mishcon de Reya
Yeah thanks everyone for joining.
Francisco Sanches
Cyber Risk Director, Mishcon de Reya
Thanks everybody.
John Root
Head of Cyber Security
Mishcon de Reya
Thank you very much.
Mishcon de Reya
It’s business. But it’s personal