While clients are concerned about security issues associated with putting AV on the network, they’re also concerned about you. (Or they should be.) The 2013 data breach at Target, in which hackers were able to break into the system via stolen network credentials from a third-party HVAC vendor, remains a vivid reminder that an organization’s vendors are potential weak links in the security chain. If AV integration firms are unable to prove that they’re following solid security processes in their own operations, they stand to lose business.
“For chief security officers, supply chain security is a very big deal because both cyber criminals and nation state attackers are going after vendors and integrators to get to the end enterprise,” said John Pescatore, director of emerging security trends at SANS Institute, a global, security-focused research and education organization. Their primary question: How do I know if the vendor I’m considering is practicing good security hygiene so the bad guys don’t go through them to get to me?
Aside from getting compliant with certain standards (for example, PCI for any organization that processes credit card information), Pescatore counsels vendors to start by asking themselves, What’s the best way for an attacker to gain access to my business? He says that one of the most popular points of entry remains phishing emails that trick employees into clicking on links that activate malware, or divulging passwords via fake (but real-looking) web portals. “The very first thing is to make sure your email is secure and that your employees are very, very suspicious about anything that comes in over email,” he said.
Along the same lines, Pescatore noted that companies often overlook the potential for what he dubs “accidental security incidents.” A result of human error, these events are often triggered innocently enough: an employee sends the wrong spreadsheet to the wrong individual, revealing sensitive company, financial, or customer-related data to someone who has no business seeing it. As is the case with phishing, Pescatore notes that there exist email security systems that strive to prevent this—most often by asking the sender if they’re sure they want to transmit attachments into the ether—but it’s also a good idea to regularly remind employees to be vigilant during the daily course of work.
Finally, Pescatore pointed to the Center for Internet Security, which publishes CIS Controls, a regularly updated guide on the steps to take in protecting organizations against cyberattacks: cisecurity.org/controls.
There’s also the potential for insider threats—disgruntled employees who open the gateway to malicious attacks on purpose. This is why Pescatore urges organizations to apply privilege management practices, because in most cases, not all employees need to have access to all of the company’s data. Privilege management also limits the number of employees that have the ability to upload new software into an organization’s system or make configuration modifications that can compromise security.
Be Secure Inside…and Out
One of the mistakes some organizations make is that while they may be applying solid security practices at home, they remain vulnerable when employees are on the road. “When they go on a business trip or onto a client’s site, they don’t take protective measures—they don’t VPN into their network,” said Benson Chan, senior partner at Strategy of Things, a technology research, advisory, and acceleration firm based in Hayward, CA.
Speaking of being secure on client sites, David Danto, director of emerging technology at IMCCA, an industry association focused on unified communications and collaboration, reminds AV integrators to work in an isolated network environment. “You’re not using your PC [to do system programming]; you’re using one that [has been] imaged from scratch just for that project,” he said. “And then, at the end of the project, you turn it over to the client and say, ‘Store this, and if we ever need to make any changes, we’re going to use this machine that was built for your environment.’” The cost of a dedicated PC is minimal, he argues, compared to the expense of having your client attacked because the computer that was used to program their system was infected.
Plan for Some Tough Questions
Chan notes that as vendors, AV integrators should be prepared to answer some delicate questions about their own security practices—and he concedes that this is often a difficult task.
“The hardest question to answer is, How do you protect against the unknown? You can spend all this money and you have a network that’s pretty secure today, but someone is going to come up with something tomorrow, or the next day, or the next week, and they’ll find an existing flaw that you hadn’t thought of—that no one’s thought of,” he illustrated. Chan says companies can address this concern by establishing a solid security foundation and keeping systems updated on an ongoing, proactive basis. “It’s just like a garden: you have to keep watering, you have to keep weeding.”
It’s wise to assume that at some point you will be the victim of an attack. “The best thing you can do is be prepared, and you can have some of the key things in place. There’s only so much you can do, but you have to be able to respond, and you have to have a plan in place. It’s unrealistic not to be hacked—you have to be expecting to be hacked.”
Another thing potential clients may want to know is what resources AV integrators are putting toward their own security—specifically, how much they are spending on staying safe, and where they are investing these funds. “If you don’t have a security culture, if you don’t have a plan in place, you wouldn’t know how to answer that question,” Chan said. “If I were a customer, that wouldn’t inspire a lot of confidence.”
Like most organizational initiatives, practicing good security hygiene is a top-down exercise, and one that holds people accountable, Chan says. It’s hard for employees—who are arguably a company’s biggest defense against attacks—to be security-aware if their leaders are blasé about it. “It has to be a management-level priority,” he said. “If the people at the top don’t care about it, then no one is going to care about it.”