In our industry, security is everything. We secure homes, offices, factories, government buildings and even aging parents. So why aren’t we securing networks?
Mostly, this is because it was not too long ago that security began transitioning from an analog environment to an IP-based environment.
“In the industry, there are companies that have seen this coming and are well ahead of it,” says Kevin Donegan, vice president of strategy and security, Convergint, Schaumburg, Ill. “Convergint was one of the first to move forward and get to the digital side of the business, and once that happened, everything changed. Instead of security companies being separate from IT systems, we now see the convergence of these two, because a camera is in fact a network. The security system is now a conduit bad guys can use.”
Convergint, ranked No. 1 on the SDM Top Systems Integrators Report, was able to get ahead of this trend and provide cyber services before many in the industry had even thought of it.
Dan Dunkel, managing director of PSA Security’s Managed Security Solutions Program (MSSP), Westminster, Colo., explains that for smaller companies, it may be easier to partner with others to provide cyber services.
“The convergence of physical security solutions with the IT infrastructure demands that digital security be addressed,” Dunkel says. “The challenge is to partner with cyber security solution providers as you ramp your own internal capabilities. The good news is these cyber firms see the opportunity to provide mid-tier firms with these cyber managed services. Cyber security has become a priority to businesses, and physical integrators that do not offer these services will be replaced.”
Growing Cyber Talent & Know-How
Antoinette King, key account manager at Axis Communications and member of the Data Privacy and Cybersecurity Advisory Board at the Security Industry Association (SIA), says that cyber security should not necessarily be an independent service.
“From an implementation standpoint we talk about device hardening, which should be a fundamental part of installations,” King says. “Then, during the maintenance process, you want to make sure you’re maintaining firmware updates, that the product is still supported by the manufacturer, and that’s really where the integrators that have this capacity and talent can develop those long-term relationships.”
That capacity and talent is tricky to find — and afford — for most security companies. But Joe Gittens, director of standards at SIA, says the physical security industry has certain expertise that lends itself to cyber.
“The physical industry is becoming more and more indistinguishable from mainstream IoT,” Gittens says. “As this convergence continues, the physical security industry has achieved knowledge of the network vulnerabilities that make up the infrastructure — even more so than your typical cyber security firm. So one of the major challenges is finding talented technicians that have knowledge on security and cyber.”
Michael Ruddo, chief strategy officer at Integrated Security Technologies, Herndon, Va., says that finding qualified staff is the greatest challenge in offering cyber services.
“That in-house expertise comes at a significant expense as the level of talent required in this arena can be cumbersome to traditional security companies,” Ruddo says. “The cost to hire and then keep that individual current on cyber best practices and policies is dramatically more than what traditional security companies are used to. There is also a limit to the number of quality people in the marketplace. Training and certifications can be expensive as well, but are needed to stay relevant.”
Without these expensive trainings and certifications, IT departments and traditional cyber security companies will continue controlling the market.
“Most [traditional security companies] do not have IT-focused sales personnel or technicians that are comfortable with the cyber conversation,” Donegan says. “Offering cyber security services isn’t enough. You also have to be able to articulate the offering to the client in a way that helps them understand how beneficial the services are and then be able to deliver them.”
Star Asset Security, Orlando, Fla., was in a unique position during the industry’s switch to digital, since the company had acquired a managed services company. Chief Operations Officer Scott Anderton says that while they are sometimes the only ones thinking about cyber security on an account, other times they are working with strong IT departments who appreciate they’re thinking about cyber and security.
“The biggest challenge is when a physical security integrator comes in and starts saying they’re going to start putting all this equipment on the network, and the IT guy stops them and wants control,” Anderton says. “Traditionally, physical security integrators don’t speak the IT speak. You’re kind of coming out of left field when you say you offer cyber security, too. Cyber security is a whole industry in itself, and when you dig down into it, an IT guy can usually pick apart the offering and say you’re only doing one piece. It’s just trusting when you go in there and say you do cyber security services, you’re actually going to be able to execute.”
Once you do have that cyber expertise, though, Anderton says the cyber conversation is a very easy one to have with clients. You may not close deals with everyone, but they appreciate your thinking about cyber and trying to align with the cyber security policies they already have in place.
King says that a good relationship between integrators and IT is essential so both can work toward making an organization cyber-secure.
“It is imperative you understand a company’s policy, because for decades, physical security integrators have been putting devices on networks without permission,” King says. “We have to recognize we do that and own it, and then establish that relationship with trust, otherwise the end user suffers.”
And the first step to establishing yourself as a credible advisor for cyber security is securing your own devices.
“The future opportunities in cyber managed services are vast and expanding, and the initial opportunity for physical security integrators is securing what you have already sold and installed, IP cameras being the prime example,” Dunkel says. “For years, integrators installed cameras on networks with no security. Hackers target these camera endpoints for access and move laterally throughout the network to breach servers and exfiltrate data. These IP cameras are typically wide open using default passwords, they’re behind on firmware and operating systems releases, and are essentially the weak link in the network.”
Maintaining Cyber Security While Working From Home
Since the COVID-19 pandemic hit, a large portion of the workforce has transitioned from going into an office every day to doing their job from home. This only increases the chances of a data breach.
“In the last few months, many companies had to abruptly change to a work-from-home workforce, which means heavy use of VPNs or web-based email clients,” says Jason McLean, information security analyst at Unlimited Technology, Chester Springs, Pa. “You have to protect the users, but at the same time, there’s the question of whether the organizations have the remote infrastructure required.”
Scott Anderton of Star Asset Security says that many clients weren’t ready for the switch to remote working, and so, in a panic, they started handing out computers and telling employees to go home.
“It would open these holes,” Anderton says. “To counteract that, [we helped them] understand we have these tools already implemented and gave them access to those, maintaining the barrier of cyber security on personal devices.”
Security companies also need to ensure their own remote workers are being cyber secure.
“You’re coming from a closed environment where everyone is behind a firewall, so what does that security protocol look like when they’re accessing things from home?” says Steven Paley of Rapid Security Solutions. “We have an IT firm we work with, and we make sure that network connection from our remote workers to our servers is protected as much as possible. If you’re not doing that, you’re really opening your own company for some potential liability and problems down the road. No one wants to go out in the rain without a raincoat.”
Michael Ruddo of Integrated Security Technologies says that educating employees about proper cyber secure practices is essential as they are working from home.
“Any time you are leveraging someone else’s network to access your company’s data infrastructure, you need to make sure it is secure, or you need to add elements to ensure the transmission between your home and the company’s infrastructure are secure,” Ruddo says. “This risk is further magnified as the work-at-home environments are uncontrolled by your company’s established security measures — things like virus and malware protection, software updates, access to the network and general security best practices. Education of our employees is key.”
Email phishing in particular is on the rise during the COVID-19 pandemic, as people are more likely to click on mysterious links if they are related to stimulus checks or coronavirus news.
“We’ve always had challenges when you leave a network; we need to keep in mind that the bad guys are working overtime in terms of phishing,” SIA’s Joe Gittens says. “If you’re able to, get that talent to provide training for customers so they understand the risks in the evolving landscape. It’s a bit out of the scope of what we typically do, but if we start bringing this talent in I do believe we can have a more holistic approach to security, which is an opportunity.”
In 2016, the infamous Mirai Botnet took down internet service for the Northeastern U.S. by hacking more than 600,000 IP cameras, NVRs and routers. Mirai Botnet is still active, along with millions of other hackers.
Rapid Security Solutions, Sarasota, Fla., creates its own network for security systems to ensure IP cameras will not be a point of entry for hackers.
“Then we get into the protocols of serving that network and trying to bolster it from cyber-attacks, because any one of those network nodes could be a point of attack,” says Rapid Security Solutions President and CEO Steven Paley. “We never use default passwords — we’re doing everything we can to lock down that electronic security network as much as possible, but also looking at a natural evolution to provide additional layers of cyber security, ranging from prevention to what to do after an attack.”
There are a whole range of cyber security services that are a natural evolution if you look at security as a holistic blanket, Paley adds.
Louis Boulgarides, president and CEO of Ollivier Corporation, Los Angeles, ranked No. 45 on the Top Systems Integrators report, shares a similar viewpoint on cyber.
“For security providers, the opportunity lies in being a holistic provider,” Boulgarides says. “Security is security. We should be the experts. I think our clients appreciate they can get expert guidance on all aspects of their security program.”
Navigating Emerging Regulations
Another issue bolstering interest from end users are the sometimes confusing array of regulations around cyber. There are many emerging regulations regarding cyber security at the moment, making compliance difficult to navigate for organizations. However, if they don’t comply with these regulations, there could be huge consequences.
“Cyber security and physical security have to be a priority for the end customer,” King says. “Failure to comply with the guidelines results in very large fines. And on top of that, the reputation of the organization is at stake.”
In Europe, the General Data Protection Regulation (GDPR) came into effect in 2018, providing clear guidance on data protection and privacy that all companies working in the European Union must follow. Things aren’t so simple in the U.S. There is no federal law at the moment regarding data privacy and cyber security. Instead, individual states are taking the lead.
The California Consumer Privacy Act has been a hot topic since it went into effect at the start of 2020. New York Governor Andrew Cuomo signed a similar act, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, into law in July of 2019. The first phase of the act went into effect in October of 2019, and the second phase took effect this year. The state of Washington has been attempting to pass the Washington Privacy Act since 2019, but lawmakers have voted against it twice already.
“We have to worry about two things: the privacy of our customers that hinges on the product we provide them, and then the privacy issues in our own organization,” King says. “We’re at a detriment in the U.S. because we don’t have a federal law, so we are dealing with integrators with national accounts who have to comply with all these different regulations. There’s probably 40 waiting for approval. That’s a big challenge. Even someone like me, who spends all their free time trying to keep up with this, struggles to keep up.”
More Hackings, More Awareness, More Opportunity
These emerging regulations — along with a surge in cyber hackings — have bolstered customers’ awareness of cyber security, increasing the opportunities in the space.
“Year-over-year cyber security is growing by double digits,” Donegan says. “What we have seen in the past year is a growing awareness of how truly vulnerable integrated security systems are, and how few of them are actually installed and monitored securely. Increasingly we are seeing that customers understand, and require, that we provide cyber security programs to their systems to help keep them secure.”
While cyber hackings were on the rise before the coronavirus crisis, the number of cyber security threats has surged since the start of the pandemic. One cyber security firm, MonsterCloud, recently went viral for its report that cyber hackings had increased by 800 percent. Already in 2019, business-to-business news site The Manifest reported that 15 percent of small businesses had experienced either a hack, virus or data breach that year.
And not only are these attacks increasing — the hackers are becoming more skilled, too.
“It wasn’t too long ago that cyber hacking tended to be limited to states, or you had to have a lot of money to hack,” Donegan says. “What’s happened now is the tools to do these hackings are available to anyone online. It’s a lucrative business.”
As the cyber market grows, the tools are becoming more affordable, making the opportunity for integrators even greater. And while normal business may be slower due to the COVID-19 pandemic, Dunkel says this is the perfect time for integrators to enter the cyber space.
“Last year and into January 2020, PSA members embraced the idea of cyber security managed services, but were too busy ramping up hiring to address exploding traditional integrator business opportunities,” Dunkel says. “For many, this business climate has come to a sudden end with the coronavirus. Now is the time to start selling these services.”
And if integrators don’t take advantage of the current climate to start selling cyber, IT and Operation Technology (OT) will.
“Either we’re going to move into this space, or the IT and OT companies will, and then they will ultimately move into our environment,” Boulgarides says. “If we aren’t proactively addressing this, someone else is. Any company not being aggressive in this area is putting themselves at risk.”