Security Integrators Need to Open Their Eyes to Real Threat of Cybercrime
Turning a blind eye toward the threats posed by cybercrime is a dangerous position that could lead to business losses with fatal implications for any company and its customers.
It seems sensible that as service providers we should be enacting any and all prudent efforts to implement security controls against risks to our enterprise. To avoid the alleged security failures associated with the third-party contractor in a now famous retail cybersecurity breach of epic proportions, it might be assumed we are taking measures to adopt safe practices for the people and devices that interface with our customer’s network. Or are we?
Turning a blind eye toward the threats posed by cybercrime is a dangerous position that could lead to business losses with fatal implications for any company and its customers. Solution providers that remain uninformed of the threats and how to mitigate them may unknowingly be putting themselves and their customers at risk. Physical security practitioners that do not specialize in information protection will benefit from developing relationships with trusted security providers with expertise in assessing and auditing information security risk.
Enlist Experts on Risk Assessments
Darnell Washington, Certified Information System Security Professional (CISSP) and CEO of SecureXperts, recommends steps to mitigate the category of advanced persistent threats (commonly used to refer to cyber threats involving Internet-enabled attacks). The primary step begins with simple measures, such as adopting safer approaches to username and password combinations. He advises moving toward multifactor authentication practices, for example, deploying integrated solutions combining biometrics or smart card devices in conjunction with passwords.
Washington also counsels that in order to protect information, companies should classify and compartmentalize the data, and limit access to information to authorized users. This sounds obvious, yet failing to assess the risk to sensitive information throughout its journey from inception to destruction is frequently listed as a common mistake in organizations of all sizes. This means assessing procedures for data in transit, at rest and until data is destroyed or deemed unusable. A risk assessment performed by a qualified information security professional helps to analyze information flow through business processes so that the appropriate security controls can be applied to help to mitigate the associated risk.
“Integrators shouldn’t wait for best practices in their industry when seeking to implement cybersecurity into their products. They need to do a risk assessment now, or have one done, as well as a penetration and/or vulnerability test on their products/systems in order to identify potential or present vulnerabilities and risks,” notes David Wilson, CISSP, an attorney specializing in cyber risk management. “Once these are identified, address them, don’t ignore them. Addressing them could be creating a fix, or simply warning that the risk exists; but ignoring it will not make it go away. Seek out a cybersecurity expert to assist with the evaluation. We all believe we know our product until an outsider comes in and points out all of the holes we missed.”
Extend Training Throughout Ranks
Cybersecurity experts agree that enlisting the aid of qualified information security professionals is just a portion of a total solution. Security awareness training from the executive level through the ranks, not just for IT, is critical to ensure consistent implementation of security policy. “The anticipated business outcome (of security awareness training) for the integrator is increased awareness of how to protect them and their customers against multiple IT security vulnerabilities,” says Washington. “They will educate themselves on how to deploy next-generation security technologies safely and securely from an IT perspective.”
Wilson agrees with Washington on the essential nature of cybersecurity education, noting that if that your clients’ staff need to be aware of risks as well as understand how a lackadaisical attitude can impact their company.
“Too often I hear business owners say, ‘I am not worried about cybersecurity, I don’t have anything the hackers want to steal,’ or, ‘my company is too small to get hacked.’ Well, hackers want anything and everything, so everyone is at risk,” Wilson says. “I also hear, ‘I am not worried about it, we use really strong passwords and have a really good IT guy.’ When I hear this I ask, ‘So, is your security better than Target, Lockheed-Martin, NSA, the Pentagon, and the state of South Carolina, to name a few?’ We need to take cybersecurity more seriously and training the workforce about the risks and potential impact as well as who is getting breached is one of the keys.”
In the end, third-party providers including installation and service companies, share in the responsibility of data security. To better understand the vulnerabilities, risks and means to mitigate the threats, partner with CISSPs and make security awareness training a priority.
Barbara Shaw, CPLP, is the Director of Education at PSA Security Network. Shaw earned the Certified Professional in Learning and Performance credential from the American Society for Training & Development (ASTD) Certification Institute.
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.
A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!