Menu
Security Technology

How to Confront the Cybersecurity Challenge

With physical security devices residing on enterprise networks and connected to the Internet, the risk of compromise threatens hospitals, schools and universities. Subject matter experts define the challenges and discuss solutions.

DAVID WILLSON: From a more practical perspective, everything is so interconnected now with technology that you can’t ignore the cybersecurity piece. You can’t assume you’re separate and disconnected from everything else. [An integrator’s] liability is going to be huge if there is a breach and [the integrator is] in any way connected to a client’s network. [A client} going to look to [the integrator] for some of that liability responsibility. Like, obviously, with the Target hack and their HVAC company that was connected to their network.

WASHINGTON: One of the things currently available to the market is that most organizations are doing self-certifying, that their products meet various federal standards.

The migration of self-certifying is going to now start being written into contact language that is going to put liability and obligations on the integrator and installer to verify and have third-party verification that their security products that are being connected to IP networks meet minimum controls and standards.

It won’t be an elective or self-certification, but will be a verification process.

Are we seeing the beginning of recognition and change in terms of the concern about cybersecurity in the physical realm? What is the mentality or atmosphere out there right now?

PAUL THOMAS: We deal with very large enterprise customers and most of the security departments we work for report up through IT, and that’s changed over the past two years. Now we’re actually seeing lots of contract language that’s coming back, putting that onus on us. I’m not sure in the industry it’s widely accepted yet. I think it’s in its infancy as far as the industry paying attention to it.

We’re seeing a lot of pushback from our customers that are forcing us to go back to the manufacturers, and the manufacturers are throwing their hands up in the air saying they can’t really respond to what the customers are asking right now.

WASHINGTON: The tolerance or pain points within smaller [end-user] companies is that at one time they used to believe cyber-attacks were only for people who had something to hide, such as the financial industry and national defense and intelligence organizations. Now they’ve found everyone is a target. Whether it’s identity theft or creating system-wide destruction to affect critical infrastructure, all bets are off for the hackers. They’re running script against every subnet and every industry, and whatever they can find to exploit they will install malware to make you part of a larger potential type of security threat.

The other piece we’re seeing is nations using IP and cybersecurity as an offensive military weapon; they’re going after everyone who is a potential target. Now that we’re actually at the level of cyberwar, we need to provide down to the weakest link in the chain to be able to ensure they can’t be a threat vector or attack vector for additional cybersecurity
exploits.

BILL BOZEMAN: You didn’t ask if the smart guys in the industry get it, which they do. You asked if the industry in general gets it, and the answer is no. That’s the bad news. The good news is they are concerned and aware. They throw their hands up and say, “What do I do? Am I going to be held liable? How much is it going to cost me to get into compliance?”

I don’t think integrators this time are going to get the luxury they had for switching from analog to digital. I don’t think they can get around to it when they feel like it, two, three, four, five years. They’re going to get their butts kicked if they don’t get on the boat quickly. That goes for manufacturers as well.

WILLSON: Even with the smart guys who say they get it, the problem I’m seeing is people are associating cyber with computers. It goes right to the IT department. From my perspective, the IT guy is not the cybersecurity guy. They may have been forced to do that or had to learn on the job, but their focus is uptime and keeping the network running, not necessarily protecting it. So CEOs are basically saying cybersecurity is an IT problem, send it to those guys. They’re sort of pushing it off on someone else. They’re not taking it seriously, and it really is a risk-management issue, not just a technical issue. They have to be looking at the whole organization, how the information is flowing, how those connections they’re creating are creating new vulnerabilities, and how they’re going to address those and the liability it may place back on them.

LANNING: It’s been reported that only 30% of IT pros have any hands-on experience with cybersecurity work in their shop. If their industry is that thin on cybersecurity, you can imagine where our guys are. We’re down in the single digits, if not 1% or something, with any hands-on work, any kind of threat evaluation, any kind of vulnerability assessment or any kind of monitoring of our clients’ systems. The hardware manufacturers have a big problem with putting a big reset button on that device they’re hanging outside of peoples’ buildings.

WILLSON: The other thing we have to make sure with manufacturers and integrators is they don’t get caught into the trap a lot of companies are, in thinking there’s a silver bullet for security. If I use this managed service or this piece of hardware, or this piece of software I’m secure and I can forget about it. It’s a process. There’s no silver bullet. Unfortunately, companies are getting inundated with vendors who are saying, “Buy our product, we will make you secure,” and it’s not realistic.

WASHINGTON: There is no silver bullet, but there are appropriate levels of cyber hygiene. When we discuss the process of cyber hygiene, it goes back to the main fundamental areas that a systems integrator might be asked: Do you have an IP security policy that you as a systems integrator follows? That’s step one. Step two is do they have a systems security plan that they use to protect their information and their data, and if they do would they be willing to submit it for scrutiny and review by someone who was qualified to look at it, to see if they pass muster? Those are the two basic things, similar to if someone was coming in from a country that might require quarantine.

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Previous Pages 2 of 3 Next
Tagged with: Network Access Control Network Security Systems Integration

Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century

This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!

Get Our Newsletters
Campus Safety Conference promo

Recommended For You

Student and Staff Safety: Addressing the Significant Rise in Mental Health Needs and Violence
Student and Staff Safety: Addressing the Significant Rise in Mental Health Needs and Violence

In this webinar, attendees will learn the observable behaviors people exhibit as they head down a path of violence so we can help prevent the preventable.

Beyond Threat Assessment: Managing Threats with Appropriate Follow-up, Monitoring & Training
Beyond Threat Assessment: Managing Threats with Appropriate Follow-up, Monitoring & Training

This discussion will help participants analyze, understand, and assess their own program effectiveness.

Latest Quizzes

How Should These Clery Act Crimes Be Classified in Your ASR?
Mental Health in America: Test Your Awareness with This Quiz
Test Your Hospital Safety and Security Knowledge with These 9 Questions