Cyber Security: More than just an IT issue
14 April 2020
CYBER SECURITY breaches make the news headlines on an almost daily basis now, with organisations of all kinds considered to be potential targets for the hackers. In an exclusive article for Security Matters, Andy Schofield explains why, in the ongoing battle against the cyber criminals, it's continually vital to ensure that security systems are not vulnerable to attack.
Although it tends to be the high-profile cases that grab our attention, it’s not just the likes of Facebook, Yahoo, Adobe, Marriott and Capital One that are affected by cyber crime. In fact, according to a report produced by 4iQ, cyber criminals have shifted their focus and are now targeting more and more small businesses, resulting in a 424% increase in authentic and new breaches in 2017-2018. Those carrying out such nefarious activities are increasingly sophisticated. All it takes is for one individual to hack into a device within a building services network and they're then able to gain unfettered access to confidential information.
Horror stories about what can happen as a result of such events are in no short supply. Cyber crime can have a negative impact on all aspects of an organisation’s operation, ultimately resulting in reputational damage, lowered customer confidence, loss of business continuity and a restricted ability to function. For some, the ramifications of a data breach could be irreversible and, since the introduction of the European Union's General Data Protection Regulation, all organisations are now under additional pressure to implement strong operational policies in order to keep information safe.
The impact of poor cyber security is never clearer than when looking at its financial implications. For its part, Cyber Security Ventures predicts that cyber crime damages will cost the world $6 trillion annually by 2021, which is up from $3 trillion in 2015.
While these numbers are truly mind boggling, there's a great deal more that could be done to improve cyber security by identifying and addressing any weak areas in a given corporate IT network. Why, then, isn’t this happening already?
The simple answer is that, while buildings have become more intelligent through the implementation of converged building services that have the Internet of Things (IoT) at their core, operating numerous systems over one infrastructure offers multiple gateways for attack.
Leading the way
Although there are some basic principles to adhere to when making a network secure, organisations in different vertical sectors often have their own unique approaches to it depending on their vulnerability to attack and risk aversity. A combination of tools, people and processes is required to offer the requisite level of protection, so an organisation must have a complete understanding of their environment to allow for accurate decisions to be made and policies implemented.
It’s no surprise, then, that within sectors such as the utilities, finance and stock trading, the military, Critical National Infrastructure and pharmaceuticals, network security is a top priority. Likewise, universities and educational establishments are open to the adoption and use of new security technology, often teaching students how to ‘ethically hack’ systems and thereby help in highlighting vulnerabilities in a network. This knowledge is then made available to manufacturers to help them plug any gaps that could be exploited.
Another pocket of Best Practice is in the Data Centre sector. Data Centres are the hidden heroes of our connected world and protecting the information stored within them is vital. While access control may seem an obvious part of any security policy, Data Centres must be able to demonstrate that they have the appropriate access policies in place. In fact, Regulation (EU) 2016/679 warns of ‘preventing unauthorised access to electronic communications networks and malicious code distribution and stopping Denial of Service-style attacks and damage to computer and electronic communication systems’.
This presents a significant challenge, though, and security professionals need to design a system that negates all possible risks, while also ensuring any measures introduced don't compromise Data Centre functionality. Traditional security approaches and technologies are limited in Data Centres and they require a means of protecting equipment access using something more than just a password. That being the case, a Data Centre security strategy usually takes the form of a multi-layered approach.
The latest technologies must be deployed alongside an integrated security system that provides control and integration through software-based video and enterprise level access control systems. Similarly, although security issues have previously prevented the adoption of cloud-based access control in these facilities, that’s also beginning to change thanks to a combination of innovative technology and integration expertise. This is good news, as access control increasingly needs to be configured, operated and managed across multiple sites, even on a worldwide basis. It follows that this should be part of any decision-making process when considering cloud-based options.
Part of the problem
The ability to interconnect digital devices through the IoT is also driving interest in physical security, as is its ability to contribute towards business intelligence. Information gathered from security technology which can help to reduce operational costs, develop comfortable working environments, optimise staffing levels, gather marketing intelligence, reduce risk and identify where training and skills development is required.
As such, there are increasing calls for greater collaboration between the physical security and IT communities to meet cyber security challenges. 1,000 IT decision-makers across Europe who were recently questioned revealed that 77% believed their physical security systems are not optimised. The findings of this study are somewhat concerning, but not surprising. Within far too many organisations, security systems are the least secure element of buildings. That needs to change.
The problem is two-fold. The provision of security systems now requires experts from a range of disciplines. This means we should be moving away from an ‘all-in-one’ engineer to a multi-phase installation process whereby hardware installation is complemented by experts in software, IT and networking. This is not to say that one person or company would not be able to cover all of these disciplines. However, it appears that relatively few are, at present, prepared to engage in the requisite training and skills development.
Just as importantly, it would seem that security installers are failing to educate their customers about the benefits of service contracts that include on-site and/or remote planned preventative maintenance, firmware updates, regular patching, firewalls, malware prevention, encrypted password changes and other preventative safeguards such as two-factor authentication.
Secondly, some IoT security devices don't possess adequate security features and are easy to access, even by the ‘novice’ hackers who've simply obtained online information about how to do it. Selecting the correct product is vital, but only a professional installation by someone that understands IT will ensure that a device is configured with the required levels of encryption.
Using Secured By Design-certified products is obviously a good thing. That said, it only guarantees security at the initial installation stage. The bottom line is that today’s IT professionals want products that are secure, user friendly and ensure good governance of data. Put simply, those products that fail to meet these three criteria are doomed to fail.
A comprehensive evaluation of risk requires a meticulous approach to mapping all of an organisation’s IT-related assets and processes – including its security system. Yet, despite the inherent risks of complacency, many IT security decision-makers are failing to implement effective measures designed to protect data. A study conducted by Kaspersky found that 65% of IT decision-makers felt their organisations are complacent on this issue and are failing to take the necessary steps to prevent data breaches.
Working with a security technology integrator that understands current cyber security technology trends and Best Practice can offer significant advantages, especially so when it adopts Best Practice as recommended by the ITIL framework and has been awarded certifications such as ISO 23001 and, perhaps most importantly, ISO 27001.
ISO 27001 covers cyber security, physical security and everything in-between. Those that have achieved it can ensure the confidentiality and integrity of information. Certified companies will also be able to advise on how to complete a Data Protection Impact Assessment, which is designed to identify and minimise the specific data protection risks of a project.
This is particularly important given the rapid growth in companies looking to manage and archive surveillance video footage via cloud storage. According to MarketsandMarkets, the Video Surveillance-as-a-Service (VSaaS) market is expected to reach $5.93 billion by 2022. It provides an opportunity to replace upfront capital expenditure with low variable costs that can scale with an infrastructure. We will undoubtedly see further large-scale deployment of cloud-based security and, for their part, integrators need to be able to understand the complexities and regulatory demands of working with this product set.
Protect and survive
Data protection is now the subject of intense scrutiny and must be taken seriously. Given the anticipated and unanticipated challenges that could emerge and threaten business continuity, placing security devices on an IT network infrastructure must never be considered to be a ‘fit and forget’ exercise.
Only the highest level of co-operation between an IT Department and its chosen physical security integrator will ensure that a network-connected surveillance and access control system is fully optimised, fit for purpose and, above all else, secure.
Andy Schofield is Director of Technology at Reliance High-Tech