On a beautiful fall Sunday I sat down to watch my Patriots take the field when I was startled by a creature scurrying across the floor. My own curiosity and a screech from my wife encouraged me to identify the breach.
After a challenging hunt I finally seized the perpetrator and set it free outside. I thought I was done until I later found a similar one hiding in the garage. I then decided to do a penetration test to determine the access point and the potential impact.
There was only a small nest in the garage and the access point was an open garage door. The house penetration was also an open door. This experience got me thinking. When I heard at the PSA Cybersecurity Congress that the Target breach was due to access through the HVAC system, the bell went off.
We integrators who implement and support technology-based systems introduce the potential for cybersecurity risks with every piece of equipment we deploy for our clients. The devices we deploy are like doors: they are easy points for predators to penetrate the network and eventually access sensitive data.
The question we need to ask ourselves is, Are we leaving the door open? Here are a few questions to answer within your organization to see how wide your door might be.
- Are the passwords used to access the client equipment tightly guarded and changed consistently?
- Are passwords left up to the engineer to create and do they vary from client to client?
- Are technology diagrams with sensitive information such as IP addresses, passwords or access information easily accessible by your clients or their employees?
- Do you change passwords every time an employee or client contact leaves?
- Is your access for client support encrypted and tightly guarded with limited access?
Chances are you won’t like most of the answers to these questions. After all, we grew up in the days when most passwords were factory-default. However, today, if we don’t address this issue, our technology may introduce a cybersecurity risk or breach point for our clients and leave us liable.
Here are a few suggestions for systems integrators to heed:
- Rally your brightest minds from across the organization to form a security council that will create a plan that addresses password administration, secure remote access, and client documentation.
- Implement a password management system and a document sharing system that limits access by rights to all documents and time-stamps who and when.
- Review your employee exiting process and make sure there are specific guidelines ensuring that when an employee leaves, any access to client networks is changed. Also create a process by which clients notify you when anyone leaves.
- Educate your entire organization about the cyber risk your business poses to the client. Educate engineers on strong business practices related to passwords, access, documentation, and the potential for a breach.
- Implement an auditing process that routinely checks for breach points, verifies employee adherence, and posts the findings within the organization.
- Create a formal document that encompasses your governance model and can be marketed to clients highlighting your best practices.
- Purchase a cybersecurity liability insurance policy to protect your business in case you are sued. Most business insurance policies do not go far enough to protect your business in this area.
Organizations have experienced a 176-percent increase in cyber-attacks since 2010. Cyber-criminals are using every network-connected device as an access door. The impact on your reputation and cost to your company will far exceed the investment to secure your business practices proactively.
LinkedIn and I would be happy to share more insight on this topic.
Please connect with me on