Are we talking enough about cybersecurity?
For many years, cybersecurity was the unmentioned elephant in the room. Possible vulnerability of IP-connected devices to a cyber-attack was seldom, if ever, mentioned, and even the most basic measures to prevent such an attack were not implemented. For the last couple of years, however, the physical security industry has begun talking more about cybersecurity, in some cases with an abounding enthusiasm typical of the newly-converted. Have our discussions sufficiently addressed the long-standing lack of awareness? We asked this week’s Expert Panel Roundtable: Are we talking enough about cybersecurity? Or too much? (And why?)
We are probably still not talking enough about cybersecurity. What makes it so challenging is that cybersecurity is a constantly moving target. Integrators and manufacturers might feel like they have it all figured out, and then the next cyber-breach presents itself and opens new issues. Cybersecurity requires everyone in the security industry to be playing offense and defence at the same time, every single day. It needs to just become part of the standard conversation when we are talking about physical security because they are so intertwined. I don’t think we are there yet. I still hear from security professionals who deny that cybersecurity is now part of our industry’s DNA. Until we can overcome that misconception, we cannot talk about it enough.
The industry talking about cybersecurity is an improvement over the past years when the topic wasn’t openly discussed. As the cyber landscape is evolving, discussing cyber preparedness has become top of mind for many organisations. Organisations’ (cyber) success and efficiency depend on the reliability of the networks which are the backbone of all functionality and operations. Organisations also need to protect their data and intellectual property. Talking about cybersecurity allows us to be good stewards in raising awareness about measures and policies to ensure that systems and data are better protected. It also allows us to be more diligent about smarter devices we can add to the network. The advent of smarter devices provides organisations with a world of opportunity to improve their operations and overall customer experience. So, we shouldn’t paralyse ourselves by avoiding the discussion.
No, we are not talking enough about cybersecurity! The constant demand for lower and lower prices on advanced products will bring us lower and lower quality products with less and less robust software. These low-cost security devices that sacrifice robust software for price are made that much more vulnerable to attack and takeover by malware and other cyber-attacks. A buyer may think he/she is getting a “great deal” from a supplier, but it’s wise to question your integrator and/or supplier on why, if it’s the case, the cost is so low and to determine the source of your supplier’s hardware and software. Dare to question your supplier!
In today’s age of hackers and general “bad people,” the physical security market needs to address the needs of cybersecurity. To the physical security industry this is a little bit of a new concept. Those customers and integrators who are solely physical security-focused will need to adopt some of the learnings from the IT industry, which has been addressing cybersecurity needs for years. Right now, there is a lot of “chatter” about cybersecurity, but little information. Cybersecurity means many things to many people. The industry needs to be educated on the implementation of cybersecurity, and there are several levels of implementation depending on the type of business: a grocery store will not need the same level of cybersecurity as an airport.
In this day and age, cybersecurity can’t be discussed enough. Every day we hear about attacks on financial, customer and product data, consequently cybersecurity will continue to be the forefront of building and enterprise strategic plans. As access to building data and operational systems increases, so do the challenges associated with securing the smart building environment. This is a shared responsibility, requiring focus and commitment from the systems integrator, manufacturer, and customer, and requires consistent, open communication. This is critically important as cybersecurity is often mistakenly considered an issue related to software, when in actuality, many cybersecurity issues arise from improper systems installation. Developing an ecosystem with trusted partners who are focused on cybersecurity for building wide systems integration can make all the difference.
It’s an all-too-common event: Hackers breaking into critical systems at hospitals, universities and corporations and putting patient healthcare, sensitive personal data and trade secrets at risk. Admittedly, cybersecurity is a field most in the physical security industry try to avoid. Yet, we can help our customers prevent these potentially devastating attacks. As integrators, we install a variety of network-connected devices – such as surveillance cameras and card readers – each having its own IP address. This is the path hackers use to get onto a network. We urge our customers to immediately change the simple default factory passwords on new equipment. By creating strong passwords and changing them frequently, we can make our equipment much more difficult to hack. In some cases, we may even recommend adding a second identity verification method such as a biometric (iris, fingerprint or facial scan). We can’t talk – or plan – enough about stopping hackers.
In my opinion, you can't talk about the possibility of a data breach enough within the enterprise organisations we serve today with security-related products. At their core, these products should be safe to use while deploying the best possible technology to keep personal data safe and secure. With the rise in cloud technology and increased connectivity of devices, encrypting communications between devices is paramount – and it starts with manufacturers. Especially when legacy, new and different technologies are used together; a single insecure system or poor deployment can make the entire system vulnerable. This is where a strong relationship with IT professionals throughout the process of a security system upgrade can be invaluable. Keeping up with remote and instant access to security solutions must be weighed with the ability to keep data safe and secure from threats.
Cybersecurity is one of the primary challenges facing organisations in today’s environment. Recent results from the Security Executive Council’s Security Barometer Polls found that survey respondents reported cybercrime is the top risk facing their organisations. With that in mind, I believe there needs to be more conversation about how to mitigate these risks in a collaborative manner across the enterprise. Over the course of the past year, we’ve discussed the convergence of physical, IT, and cybersecurity within organisations – possibly even more than we’ve discussed how technology is converging. There are significant benefits to this level of collaboration; it is crystal clear that this approach benefits the greater purpose of security as well as overall strategies for continued success. An ongoing dialogue between IT, cyber security, and physical security teams is necessary to help gain a greater knowledge of how to best mitigate today’s most prevalent threats.
We aren’t talking enough about cybersecurity! Many people are still blasé about making their private information public online. More vigilance is needed to tackle issues such as identity theft, grooming and stalking. Equally, some businesses/corporations also leave themselves open to security issues by failing to frequently patch their systems, as demonstrated by the infamous WannaCry ransomware. Even the most recent large-scale cyber-attack could have been prevented with fully updated systems, and it is frustrating that these issues could have been avoided! With IoT, the threat can only become more severe. Without the right security built into each network component, there is always a “back door” for malware. Even with security in place, some people still fail to update passwords and keep this protection watertight. Technology is changing and evolving faster than the habits of users, so we need to ensure everyone is aware of the need for vigilance.
I don’t think we can ever talk “enough” about the importance of cybersecurity. As cyber threats continue to increase and evolve in sophistication, the industry must stay proactive in its approach to mitigating these risks. Video surveillance can be considered the first real IoT application and, in fact, connected cameras are ubiquitous. Since we have already seen the impact of unsecured IoT devices (the Mirai Botnet attack), we don’t know the extent of additional vulnerabilities. Therefore, manufacturers, integrators and end users all must take precautions on any new products installations. At the same time, we also need to be aware of the significant installed base of IP-based technologies, which includes cameras and also NVRs, IP-connected access control devices, intrusion detection systems and more. Unforeseen vulnerabilities could lead to more damaging attacks, such as accessing or tampering with private video, controlling door locks and access control systems, disabling alarm systems, and more.
Cybersecurity is at the forefront of both our professional and personal lives and, therefore, I don’t think we are talking about it enough. The reality is that as we continue to move toward IoT in all aspects of our lives, we continue to uncover new cyber vulnerabilities. As security professionals, we are entrusted by our customers to provide secure products and guidelines to safeguard these products from potential hacking and at the very least understand these vulnerabilities. In many ways this understanding comes from partnerships throughout the industry and combining the knowledge base across multiple platforms. By working together to provide a solution-based system that is rigid against cyber-attacks, we improve overall protection. This will only increase in importance going forward.
Granted we are talking a lot about cybersecurity, but our Expert Panelists agree it’s still not enough (and may never be enough!). Cybersecurity is one of those problems that will never go away. More than that, it is constantly changing and reemerging in new forms to forever thwart our best struggles to prevent, protect, and/or address. There will be plenty to talk about for the foreseeable future, and no possibility of every saying enough. So, let the discussions continue.