The reports come with increasing frequency. One day it is hackers accessing an Internet of Things (IoT)-connected building system to cause chaos that compromises the physical security and safety of a facility and those inside it. The next it is a bad actor gaining unauthorized physical access to a facility’s server room, then instigating a cyberattack. Or maybe it is an employee’s unencrypted laptop falling into a bad actor’s hands, affording them access to an organization’s network and sensitive data.

As cyber-to-physical and physical-to-cyber incidents like these illustrate, blended or hybrid threats pose a real and potentially very costly threat that building owners, facility managers and security teams would be wise to take steps to address. Just ask hotel and casino operator MGM, or the health department in Multnomah County, Oregon, USA, both recently victimized by blended attacks.

CO - TheGap-AkeleyTo further complicate matters, blended risks are evolving at lightning speed with the rise of artificial intelligence (AI). Those risks are apparent on external and internal fronts. Not only are cyber criminals leveraging AI to engineer and execute attacks, the growing use of AI in its various forms (agentic AI, generative AI, etc.) creates new internal digital surfaces to defend against cyberattacks.

All this confronts building owners, facility managers and security teams with shape-shifting threats that require them to adapt their approaches by reinventing their visitor management strategy with new risk frameworks, threat models, capabilities and countermeasures.

Today’s blended threat landscape

As if cyberthreats and physical threats by themselves were not enough to contend with, now hybrid threat vectors that exploit the weak links between the two domains must be accounted for and addressed. Some of those vectors are obvious, others less so. Here are several examples:

  • Missed warning signs, the result of operational silos and/or blind spots. If a security team notices an employee's badge has been used for unusual after-hours entry, they may investigate and find nothing unusual. But they also may not think of alerting their counterparts in the organization’s cyber team. If the two teams lack an integrated visitor management system, the cyber team may lack the awareness to check for simultaneous VPN logins that could suggest an attack attempt is underway, warranting quick investigative action. In such a scenario, a coordinated cyberattack can go completely unnoticed until it is too late.

  • Inconsistent or imbalanced policies invite trouble. It is not uncommon to find that an organization’s security and compliance policies are imbalanced, mismatched or inconsistent in terms of their sophistication, strength and reach. The cyber team could have strong multifactor authentication measures along with other cybersecurity layers in place. Yet, the protocols employed by the physical security team lack deep background checks or strong badge security. This can create serious vulnerabilities that leave people and assets exposed.

  • Disconnected systems lead to inaction against insider threats. When siloed systems prevent organizations from correlating physical access logs (who opened the server room door, for example) with digital activity (such as unusual data downloads), it can be difficult to quickly spot and take action to halt malicious insider activity.

  • A lack of real-time information slows emergency response. Without a real-time, accurate accounting of all a facility’s occupants (employees, contractors and other visitors) and their location at a given moment, it is difficult to coordinate an effective, fast first response and evacuation during an emergency.

  • Inadequate measures at the point of engagement elevate risk. Treating the physical point of entry — the lobby reception area, for example — as the initial trigger for security and compliance measures leaves an organization vulnerable. Risks should be identified further upstream at the true initial point of engagement between an organization and a potential visitor, such as the initial invitation to an on-site meeting. Reception is but one milestone in the visitor management process.

Image - TheGap-AkeleyMeet Visitor Management 2.0

The linkage between the physical and cyber domains within an organization means issues like these can produce cascading and even catastrophic consequences, from data theft and stolen intellectual property to operational disruption (temporary manufacturing shut-downs and data center closures, for example) and resulting financial loss (recovery costs, downtime and regulatory fines).

What can building owners, FMs and security and compliance teams do to better protect themselves against blended or hybrid attacks? The first and perhaps most critical step in closing the gap between physical and cyber security is to create a converged security and compliance environment, wherein policies, procedures, processes and tech capabilities across the two domains are centralized. This means doing away with manual visitor logs, siloed systems and spreadsheets, shifting to a holistic approach to managing the entire visitor life cycle — an approach called Visitor Management 2.0.

In short, blended threats call for a blended visitor management approach, one that can account for both the who (the people physically allowed into buildings) and the what (the risks to which an organization is exposed via its digital infrastructure). A Visitor Management 2.0 approach, supported by a single, integrated visitor management system (VMS), can bring a new level of visibility, automation and intelligent analysis to the entire visitor life cycle, with the ability to implement unified core visitor policies across multiple sites, along with the flexibility to tailor requirements to specific sites, such as high-security areas that require additional screening such as NDAs or health checks.

Necessary tools to counter blended threats

With a single digital visitor management environment in which to manage physical and cyber security and compliance as the foundation, FMs, building owners, and security and compliance teams can then start exploring more sophisticated tools and strategies to protect against cyber-to-physical and physical-to-cyber threats, including:

  • Identity verification: Instead of waiting until a visitor reaches the lobby or another physical entry point, organizations can initiate identity verification further upstream, at the initial touchpoint, such as when an invitation is sent to a potential visitor via email. A new generation of intelligent VMS capabilities can scan government IDs and cross-reference visitor information against internal databases, watchlists and denied party lists in advance, and alert appropriate teams when it identifies an issue. Organizations can also collect information for NDAs, health declarations, etc., in advance as part of the preregistration and vetting process to approve visitors and streamline entry. Not only does this help to close security gaps, it also improves the visitor experience, which reflects positively on the organization. Elevating both security and the visitor experience is one of the key tenets of Visitor Management 2.0.

  • Pinpoint access control: Visitor Management 2.0 also envisions organizations developing a unified identity for each visitor that can be used across an identity and access management (IAM) system (like Azure AD or Okta) and a physical access control system (PACS) to control both physical access and, if needed, digital access (like temporary guest WiFi credentials).

    By combining digital identity (their IAM profile) and physical identity (biometrics, including facial recognition, along with documentation), organizations can begin to eliminate gaps and blind spots that open the door to blended attacks.

    Meanwhile, based on findings from the identity verification process, the system can also apply contextual security rules (conditional access policies) so that, for example, a visitor's guest Wi-Fi access can be automatically disabled if they overstay their scheduled visit, or alerts are triggered if someone badges into a secure area, then logs into a network from an unexpected location. The system can grant least-privilege access to specific doors or floors, preventing people from roaming a facility and gaining access to restricted assets. It also can instantly deactivate a former employee's digital network credentials and their access badge.

    Real-time anomaly detection is another key aspect of the Visitor Management 2.0 proposition. By linking a visitor management system with a PACS, security teams can quickly flag and address instances in which a visitor's badge is scanned at a door that is outside their approved access area, or if a guest Wi-Fi login is attempted after the visitor has checked out, thwarting potential blended threats.

  • Data security & compliance: Protecting visitor data is non-negotiable. VMSs collect a large amount of personally identifiable information (PII) and sensitive data, making them a high-value target for bad actors. Any systems that hold PII should use end-to-end encryption for all visitor data both in transit and at rest. They should also comply with data privacy regulations like GDPR and CCPA, with the ability to readily produce audit trails to document compliance. Eliminating error-prone paper logs in favor of centralized digital record-keeping makes these kinds of tasks much simpler to execute, and more accurate from a reporting perspective.

    Emerging approaches such as self-sovereign identity (SSI) are also helping organizations protect visitor data. SSI allows visitors to store their credentials in a digital wallet on their mobile device and share only the specific, verified information required for access, minimizing the organization's liability for storing large amounts of sensitive personal data.

    It is also important to assess visitor management software, which, if lacking adequate built-in cyber protection, can invite cyberattacks, providing a backdoor into the network and the data stored there.

  • Emergency response: Effective response during an emergency can be next to impossible at facilities that rely on manual check-in and check-out logs. On the other hand, using digital check-in and check-out logs and an accurate, real-time manifest detailing exactly who is on-site and where they are supposed to be at a given time makes emergency evacuations and first-responder efforts much more effective.

For building owners, FMs, and their security and compliance teams, the threat landscape has changed. As the digital and physical worlds within their facilities blend, so, too, must the approaches they use to protect them. Having a more sophisticated, holistic visitor management strategy, supported by a unified system with the latest intelligent visitor management tools, is essential to closing the cyber-physical security gaps that invite in the bad actors lurking around every digital and physical corner.