Concerned about the cyber risks of security equipment? Cover your bases with these practical recommendations.
The rapid gains that technology has made into everyday living have also changed how the security industry operates. In short, physical security has moved from being very simple inputs and outputs to encompassing always-connected devices, which makes the security industry very much a part of the Internet of Things (IoT) world. Of course, this leads to the question: How does physical security protect itself from cyber vulnerabilities?
There are already millions of smart home devices in the world, including smart alarms, locks, lighting, baby monitors, thermostats and televisions. It is predicted that there will be more than 21 billion connected devices by 2020. The amount of data that these types of IoT devices can create is huge: A Federal Trade Commission report, Internet of Things: Privacy and Security in a Connected World, found that less than 10,000 households can produce 150 million distinct data points daily. And that number only reflects residential use. Enterprise businesses generate their own endless amounts of data from a multitude of sensors, and in the security departments, this includes access control, video surveillance, analytics-based video applications and much more.
The Danger of Cybercrime
In 2016, the WannaCry ransomware attack infected more than 300,000 computers around the world. Frighteningly, the virus was spread by something as low-tech as an email. Britain’s National Health Services was caught up in the attack. As a result, surgeries were canceled, staff reverted to pen and paper and only emergency patients could be treated.
The most well-known example of a cyberattack on critical infrastructure was the attack on the Ukranian power grid in December 2015 when 250,000 homes lost power as a result. Accessing the systems controlling the plant’s circuit breakers did not require two-factor authentication, thus providing a security breach for the attackers to exploit with stolen credentials.
According to Kaspersky Lab research, the percentage of industrial computers under attack grew from 17 percent in July 2016 to more than 24 percent in December 2016. The top three sources of infection were the internet, USBs and email attachments.
A spear-phishing email was the technique used in an attack on a German steel mill in 2014. Here, the attackers gained access to the plant’s network through an infected email attachment. The success of these non-complex methods would indicate low levels of awareness about how cyberattacks are carried out.
In a survey of nearly 600 utility, energy and manufacturing organizations, only half of the companies had a dedicated IT security program. A hacker waits an average of 146 days from having penetrated a system before they strike; therefore, regular assessments give end users the opportunity to root out penetrations before they strike.
The dangers of cybercriminals are genuine. Last year, Kaspersky Lab discovered a ring of hackers called the Carbanak gang, where it was reported the ring had stolen more than $1 billion from financial institutions around the globe.
Hacks also can have dire economic impacts. For example, a possible hack that could trigger a blackout in North America is estimated to leave 93 million people without power and cost insurers anywhere from $21 billion to $71 billion in damages.
In a report by Cisco Cybersecurity in 2017, 35 percent of chief information security officers (CISOs) and security operations professionals said they see thousands of daily cyber threats, but only 56 percent are investigated.
These numbers and facts only scratch the surface of incidents occurring around the globe that have the potential to wreak havoc on an organization and its valuable information. When a breach occurs, each organization must take steps to learn from the outcome of other incidents and work toward strengthening the protocols in place for protecting breaches in the future. This starts with identifying how cybersecurity is handled at the basic level.
Who Is Responsible for Cybersecurity?
So now that we’ve identified and discussed IoT security and how the interconnectivity of devices can result in a greater risk of cyber threats and attacks, the question remains: Who is responsible for keeping data safe? With many players involved in the operation and maintenance of security devices, the uncertainy of this question is understandable.
According to a report from Radware, a provider of application delivery and cybersecurity solutions, there was no clear consensus among security executives when asked who is responsible for IoT security. Thirty-five percent of respondents placed responsibility on the organization managing the network, 34 percent said the manufacturer and 21 percent chose the consumers using the devices as being primarily responsible. The results demonstrate the answer: everyone.
Cybersecurity must become and remain top of mind for the organization, the manufacturer and the user. It’s not surprising that the majority of people polled chose the organization as the main stakeholder for IoT responsibility; after all, if a company is managing a network, one would expect it to protect the network as well. This can be done by adapting user-centric design with scalability, tactical data storage and access with appropriate identification and security features (for example, the use of multi-level authentication through biometrics in access control). Organizations must also use their IT teams to strengthen the overall cybersecurity of the IoT by keeping up with the latest software updates, following proper data-safety protocols and practicing vulnerability testing.
Manufacturers that provide IoT-enabled devices as part of a security systems must be fully knowledgeable of the risks involved and effectively communicate them to the integrators or end users. Providing the education and dedication necessary for protecting users of its equipment makes a manufacturer more trustworthy and understanding in the eyes of an end user. Ensuring encryption between devices is a key step that manufacturers can take to work toward achieving complete protection in the IoT.
Despite the protection delivered by the organization and manufacturer, there’s always the option for IoT security to be enhanced or possibly even diminished by the individual user. It’s critical that best practices for data protection are in place every time an individual uses a device that is connected to the network. These include disabling default credentials, proper password etiquette, safe sharing of sensitive information and the instinct to avoid any suspicious activity or requests.
The best way to clear up the general misunderstanding about IoT security responsibility is to emphasize that every contributor to the development and use of an IoT-enabled device plays an important role that cannot be dismissed. Despite the growing fear of threats to the IoT, the organization, manufacturer and user can work together and combine techniques to form a guarded and secure system.
Best Practices for Protecting Data
In addition to the organizational level, it’s critical to establish best practices for protecting data across all levels of a security installation. Here, we’ve outlined five ways to ensure data is safe:
Choosing the Right Equipment
One of the most obvious places to start is to choose equipment from reliable suppliers that have a knowledge and interest in cybersecurity and are focused on protecting your data. When your security system is designed from the ground up to protect against cyberattacks, naturally your organization will be in a much better place.
One way to establish whether the equipment can be trusted is to ask whether vulnerability-testing practices are in place. A security vulnerability in a product is a pattern of conditions in the design of the system that is unable to prevent an attack resulting. This will result in perversions of the system such as mishandling, deleting, altering or extracting data. Search for manufacturers that engage in this testing from the beginning, including the analysis of the type of cyberattacks that can potentially attack, break and disable a system.
Essentially, this form of testing puts the product through its paces, and once weaknesses are exposed, they can be patched up, and the cycle of attack-and-defense can take place again until eventually, a watertight ship is in place and ready for market. Testing is the critical discipline that helps identify where corrective measures need to be taken to rectify gaps in security. The more extensive an organization’s security testing approaches are, the better are its chances of succeeding in an increasingly volatile technology landscape.
Evaluating the Weakest Link
The most obvious low-hanging fruit for hackers is to target people. Targeting people opens the door to the “weakest link” possibility that can uncover vulnerabilities, such as lack of authentication and encryption, and weak password storage that can allow hackers to gain access to systems. Notably, most hacks come down to human error whereby weak passwords, or clicking on contaminated email attachments, will expose an organization’s security. Hackers have also been known to target contractors and simply wait until they go on site for scheduled maintenance with their infected laptops or mobile devices.
One way to help bolster defenses for individuals within an organization is to thoroughly establish procedures and protocols for accessing critical data points, including ensuring multi-level authentication and communicating how this must be followed to protect the organization from outside threats. From a more colloquial standpoint, an organization’s data is only as safe as how it’s handled at the weakest point in the chain.
Keeping up with Regular Updates
Cyberattacks must also be prepared for long after the product is released to market. Manufacturers should prepare regular firmware updates to keep a product in the field readily prepared to address the latest critical bugs that can flood the market, such as the recent Meltdown and Specter bugs.
This is where continuous testing at the manufacturer level becomes critical, since as the protection of data becomes more robust, so do the methods by which this information is stolen or compromised by outside threats. Maintaining an open and transparent process for identifying potential holes in security is important to the overall security health of an organization and sets manufacturers apart.
By encrypting before you send data and information to the cloud, it adds an extra cushion of control and power over that data. Not only does it provide an added defensive structure around a company’s information, but it also adds peace of mind to the equation when relaying this data to the cloud.
How can we best protect against the darker side of an increasingly connected world? By being open and transparent in exposing and reporting vulnerabilities. The best way to avoid attacks is to keep systems up to date, change passwords regularly, provide employee training and be diligent in safeguarding facilities through firewalls and following best practices in network maintenance. Keeping up with security updates allows us to make the most of the new technologies available today and into the future.
With cybersecurity, you must act every week. It is not something where you can say, “We’re safe, we’re secure and let’s forget about it.” For manufacturers, every time a product is released, you must focus your mindset on cybersecurity from more reactive to more proactive, thinking consistently that an attack is coming and planning accordingly.