How to Properly Vet Vendors for Cybersecurity Hardness
Here are some tips for figuring out if the vendor products you recommend and deploy for clients meet or exceed cybersecurity industry standards.
In 2021, it is predicted that cybercrime will cost the world over $6 trillion, double that of last year’s $3 trillion. That is a staggering number to consider understanding that cybersecurity is everyone’s responsibility, right? What does this have to do with security systems integrators, though?
Security integrators are vital partners for the public and private business sectors; trusted to recommend, deploy and support physical security systems that reduce the risk of a physical breach.
Security integrators understand security and the importance of “locking things down.” In the very connected world we live in today, however, the risk of a cyber breach can come through the hardware and software we install at clients’ facilities. How do we know if the vendor products we recommend and deploy for our clients meet or exceed cybersecurity industry standards?
We need to properly vet the products we install regarding cybersecurity to reduce the risk of a cyber breach through the physical security equipment and software installed at our client offices and facilities.
Here are three important things that security integrators must know to keep the focus on why it is important to have a strong cyber-hardening process for physical security systems and the vendors we partner with:
- A physical security breach can enable a successful cyberattack. A successful attack allows for unauthorized access to physical equipment with easier access to critical data. The damages from a breach can result in liability for both the end user as well as the integrator.
- A cybersecurity breach can enable a physical attack. A successful attack can allow unauthorized access to a facility that puts people and intellectual property at risk and sometimes immediate life-threatening danger.
- Cyber criminals look for physical devices to exploit and carry out attacks. IoT devices including IP-based physical security equipment are targeted.
So, what is the best way to vet vendors for cybersecurity hardness? Here are a few key considerations to use as guidance:
Learn as much as you can about the vendor.
- Part of your due diligence needs to include discovering key information: how long have they been in business and what are their goals? New vendors with great ideas and products come to market so often to meet demands but focus only on meeting immediate demands. I would caution this approach and would recommend vendors with experience and existing client references. As to speak to existing clients to learn more information, learn their track record.
- What is the vendor’s financial backing? Are they privately held, owned by the Chinese government, in major debt, or any other major financial obligations? Your research protocol for a new vendor should include a deep dive into the vendors total financial situation.
- Where are they located? It is important to know if the vendor is a U.S.-based company, not just their headquarters location, but where are they taxed, where are the staff members located, is it centralized or decentralized in terms of their professional services, sales, and support teams? It’s also key to determine if the vendor has ties to Russia, China, North Korea, etc.
Learn as much as you can about the product.
- In addition to learning more about the company, gain a deep understanding of the product during your due diligence. Has a cyber penetration test been performed and if so, when?
- Other key questions to answer include:
- If hardware, where is it manufactured and by whom? Is the software Cloud-based, on premise or hybrid?
- Use caution with products that rely heavier on the local network infrastructure than on the actual product in terms of cyber-hardening.
- It is also important to determine what the user interface is coded in. Is the interface compatible and meets cyber standards with all browsers and OS platforms?
These key tips are a great place to start, but PSA’s 2020 CIS Controls whitepaper is a great resource tool for integrators to reference for further guidance. Cyber criminals seem to always be one step ahead, so constant learning in the area is important. Luckily, there are great resources for you to lean on for support.
Tyrone Chambliss is a Program Manager at Northland Controls. He is also a member of the PSA Emerging Technologies Committee.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.
A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!
Very few of the suggestions above have anything to do with actual cybersecurity. “Financial backing”? Really? Instead, how about recommending things that matter like adherence to cybersecurity standards and methods (least privilege access, data access and infrastructure controls, CMMC, NIST, SOC II…), 3rd-party pen testing and code review, data encryption protocols, data transit architectures, physical and virtual data network topologies…
How about a real discussion on why relying on VPNs and thick clients can give a false sense of security? Or why on-premise VMS software is only as secure as the server OS it is relying on (patch, people. Patch!).
Newer manufacturers have less legacy product infrastructure to support. Instead of ‘bolt on’ security that has been dumbed down to the point of being ineffective, just to allow access feature that customers want (cloud), maybe it is time the industry takes a good look at the cybersecurity best practices the data networking industry has been using for over a decade.