I recently reviewed the results of our corporate network penetration test. I was pleased with the results, although it identified some areas for us to focus on. This level of discovery is exactly why we do it as often as we do. It has become a consistent budget item and one that I feel is worth every dollar of investment.
This level of security focus is smart for our business and it is critical for us to be able to support our clients. More and more I see a growing trend by clients to require that their service providers have implemented strategic processes to ensure that their data is secure and access to their network is protected. Clients are finding that industry regulations and compliancy requirements extend beyond their organizations to those that support them.
For us integrators who implement and support technology-based systems, we introduce the potential for cybersecurity risks with every piece of equipment we deploy for our clients. The devices we deploy are like doors; they’re easy penetrations points for predators to penetrate the network.
The question we need to ask ourselves is, are we the “cobbler’s kids” who have no shoes — in other words, implementing networked security systems but not cyber securing them, even within our own business?
Here are a few questions to answer within your organization to see how wide your door might be open:
-
Are the passwords used to access the client equipment tightly guarded and changed consistently?
-
Are passwords left up to the engineer to create their own and vary from client to client, or is it “password” spelled backwards?
-
Are there technology diagrams floating around with sensitive information like IP addresses, passwords or access information?
-
Do you change passwords every time an employee leaves or a client contact leaves?
-
Have you provided staff training related to cybersecurity best practices?
-
Is your access for support of your client encrypted and tightly guarded with limited access?
-
Chances are that you won’t like most of the answers to these questions. However today if we don’t address these areas, our technology may introduce a cybersecurity risk or breach point for our clients and leave us liable. Here are a few suggestions:
-
Rally your brightest minds from across the organization to create a security council that will create a plan that addresses password administration, secure remote access and client documentation.
-
Implement a password management system and a document sharing system that limits access by rights to all documents and time stamps who and when.
-
Review your employee exiting process and make sure that there are specific guidelines when an employee leaves to deny access to client networks and that passwords are changed.
-
Educate your organization from top to bottom about the cyber-risk your business poses to the client. Double down on engineers to educate them on strong business practices related to passwords, access, documentation and the potential for a breach.
-
Implement an auditing process that routinely checks for breach points, verifies employee adherence and posts the finding within the organization to highlight the importance.
-
Create a formal document encompassing your governance model and highlighting your best practices that can be marketed to clients.
-
Provide regular training to your staff related to cybersecurity risk and corporate policies.
-
Purchase a cybersecurity liability insurance policy to protect your business in the event you are sued. Most business insurance policies do not go far enough to protect your business in this area.
In summary, organizations have experienced a 176 percent increase in the number of cyberattacks since 2010. Cyber criminals are using every network connected device as an access door. No one wants their name in the paper when it comes to cyber breaches.
If you would like to learn more in this area check out the great work that the PSA Security Cyber Committee is doing for Security Integrators at http://bit.ly/2aGURK1.