There’s no getting around it. Cybersecurity is a necessary component of a security contractor’s business and a must-have for customers looking for complete, turnkey service. With fluidly changing threats to connected internet of things devices and infrastructures, providing secured device and network communication makes cybersecurity an essential part of your menu of services.
The coronavirus pandemic has only reinforced and magnified the expanding landscape of potential cyber compromise. Criminals have turned to exploiting additional privileges given to remote workers, potentially exposing data. Work-at-home policies and procedures were lax or not even established. Vulnerabilities include shared information, insecure channels and malicious sites.
Phishing attacks centered on workers’ searching for information on COVID-19. At one point, cyberattackers were sending 1.5 million malicious emails per day related to the pandemic, according to research from software company Forcepoint, Houston.
This new landscape has also made those businesses without a cohesive cybercrime prevention plan take action. According to data by LearnBonds, a financial news site, 68% of private and public organizations plan to increase cybersecurity spending.
That’s good news for security contractors who want to add value to customer solutions and differentiate their business. As threats become more sophisticated and bad actors use a dizzying array of methods to attack an organization’s network, system and data, a company must be well-versed in cyber disciplines to pivot quickly as they emerge.
It takes vigilance, expertise and action to protect end-users in this environment where physical security, IT and operational technology are connected and converged, according to Pierre Bourgeix, chief technical officer and founder, ESI Convergent, Cleveland, a management consulting firm focused on helping companies assess and define technology in the physical security and IT industries.
“Different technologies are being connected, and we have to be sure we can protect the end-user from all this merging of technology. Part of the issue the industry is facing is ensuring systems are being implemented properly—and that comes from securing and segmenting physical security devices from the LAN,” he said.
ESI Convergent offers tools, platforms and programs for converged gap, vulnerability and risk assessment.
“We need to be cautious in a world that’s converged and open to breaches and one of the biggest issues is the misconfiguration of integrated systems, which creates gaps and opens the network,” Bourgeix said.
Security contractors should ensure cybersecurity processes are designed into their specifications, following guidelines and standards from ISO, NIST and MasterFormat’s Division 28–Electronic Safety and Security. Other processes such as following Open Supervised Device Protocol and encryption further harden physical security.
Bourgeix suggested that some security contractors may have the staffing and expertise to offer cybersecurity as a service.
“There’s a lot to cybersecurity, like reviewing firewalls, network architecture and conducting patch and device management. Cybersecurity is not fun and it’s not easy,” Bourgeix said.
It’s no surprise that customers are looking to prevent hacking and malicious takeovers, even ransomware attacks, considering the large number of people who are working remotely and may remain off-site indefinitely or even permanently.
According to Darren James, cybersecurity expert for Specops, Philadelphia, taking steps to protect the business and employees means considering these areas:
- How workers are connecting to company/data systems (cloud, VPN, remote desktop services)
- The type and location of data/systems they need to access (cloud or on-premise, sensitive information)
- The user’s location
- How the user is authenticated (passwords, two-factor authentication, multifactor authentication, authenticated device)
- How they should be allowed to use data/systems, e.g., virtual desktop/VPN
Security contractors need to understand the processes and expertise required to offer cybersecurity as a service. Whatever you decide, you’ll probably need to hire a cybersecurity expert or turn to a reputable third-party provider to offer this new essential service to your customers.