How to Confront the Cybersecurity Challenge
With physical security devices residing on enterprise networks and connected to the Internet, the risk of compromise threatens hospitals, schools and universities. Subject matter experts define the challenges and discuss solutions.
In 2014 it became clear that no person, business or government is 100% immune to a cyberattack – regardless of the number of safe-guarding layers or how “off the grid” someone may think they are. That is the 30,000-foot view. Zooming in for a more granular perspective reveals the stakes and risks are particularly high for security professionals. Like everyone else, they must contend with personal and business cyber-threats to themselves and their families, as well as those to their organizations. However, they must also ensure the networked security solutions they deploy are as impervious to cybersecurity compromise as possible.
With detected breach incidents up nearly 50% from 2013, it seems to now be a question of when and to what extent rather than if. No wonder cybersecurity is top of mind for the C suite and campus administrators.
To get a handle on this complex topic that poses liability issues, CS sister publication Security Sales & Integration hosted a roundtable featuring cybersecurity technical and legal experts along with several leading integrators. The participants – most of whom are members of PSA Security’s newly formed Cybersecurity Advisory Council – were: Bill Bozeman, president/CEO, PSA Security Network; Dean Drako, president/CEO, Eagle Eye Networks; Andrew Lanning, CEO, Integrated Security Technologies; David Sime, vice president engineering & delivery, Contava; Paul Thomas, president/COO, Northland Controls; Darnell Washington, president/CEO, SecureXperts; and David Willson, attorney & owner, Titan Info Security Group.
Why should physical security professionals care about cybersecurity?
DEAN DRAKO: Many people in physical security industry feel cyber threats are an information security problem. To date, it’s been mostly under the radar, although vulnerabilities have been publicly documented for physical security systems. However, the reality is that physical security is very vulnerable and can also serve as a doorway to full network cyber-attacks. The danger increases as the physical security systems grow more Internet- and network-connected with the general corporate network.
Campuses are demanding remote access and management, and better integration across multiple sites. There is more integration across functions, and with cloud storage costs coming down, end users want flexible and expanded data storage. With all this connectivity, the systems become more vulnerable to cyber-attacks. You do not want to be the weak link that allowed an attack to be successful. The liability could be large.
DARNELL WASHINGTON: The current state of cybersecurity has eroded to an all-time low. The president has issued executive orders for the formation of public and private, i.e. government and stakeholder private industry, to begin the process of strengthening and unifying the cybersecurity resilience. And by being able to influence mandates to influence mandatory controls for the public and private organizations who are especially involved in critical infrastructure, to work together.
This was the first line in the sand for upcoming federal mandates that are going to move beyond voluntary compliance to mandatory requirements for industries that are involved in critical infrastructure, to meet minimum-security standards, to being able to secure cyberspace.
ANDREW LANNING: From the small integrator side of the house, the folks I’ve talked to are, for the most, part very unprepared for what I agree is a regulatory body that’s going to come down on them. We regularly transfer valuable information about our clients’ security systems, whether that’s quotes, whether that’s designs. All that information is an additional attack vector, threat vector for hackers.
Many of the guys aren’t using encrypted E-mails, they’re not doing even the very basic things to protect a lot of that information. If the smaller guys are going to be providers to large organizations, we’ve got to pay attention to the regulatory guidelines affecting that market. We’re going to be held to the same or higher standards very soon.