Who Left the Door Open? Don’t Let It Be You

It was a beautiful Fall Sunday and after a day of yard work I finally sat down to watch my Patriots take the field. It was at that time when I was startled by a creature scurrying across the floor. My own curiosity and a screech from my wife encouraged me to identify the breach.

After a challenging hunt I finally seized the perpetrator and set it free outside. I thought I was done until I later found a similar one hiding in the garage. At that time I decided to do a penetration test to determine where the access point was and what the potential impact was.

The good news was there was only a small nest in the garage and the access point was an open garage door and the house penetration was also a door left open. This experience got me thinking. When I heard at the PSA Cybersecurity Congress that the Target breach was due to access through the HVAC system, the bell went off.

We integrators who implement and support technology-based systems introduce the potential for cybersecurity risks with every piece of equipment we deploy for our clients. The devices we deploy are like doors: they are easy points for predators to penetrate the network and eventually access sensitive data.

The question we need to ask ourselves is, Are we leaving the door open? Here are a few questions to answer within your organization to see how wide your door might be.

Are the passwords used to access the client equipment tightly guarded and changed consistently?
Are passwords left up to the engineer to create and do they vary from client to client? Or is it “password” spelled backwards?
Are there technology diagrams laying around with sensitive information such as IP addresses, passwords or access information? Can any of your clients or their employees walk out with/email this information to someone?
Do you change passwords every time an employee leaves or a client contact leaves?
Is your access for support of your client encrypted and tightly guarded with limited access?

Chances are that you won’t like most of the answers to these questions. After all, we grew up in the days when most passwords were factory-default. However, today, if we don’t address this issue, our technology may introduce a cybersecurity risk or breach point for our clients and leave us liable.

Here are a few suggestions for systems integrators to heed:

Rally your brightest minds from across the organization to form a security council that will create a plan that addresses password administration, secure remote access, and client documentation.
Implement a password management system and a document sharing system that limits access by rights to all documents and time stamps who and when.
Review your employee exiting process and make sure that there are specific guidelines and ownership that when an employee leaves any access to client networks is changed. Also engage with your clients to create a process by which they notify you when anyone leaves so that you can make similar changes.
Educate your organization from top to bottom about the cyber risk your business poses to the client. Double down on engineers to educate them on strong business practices related to passwords, access, documentation, and the potential for a breach.
Implement an auditing process that routinely checks for breach points, verifies employee adherence, and posts the findings within the organization to highlight their importance.
Create a formal document that encompasses your governance model and can be marketed to clients highlighting your best practices.
Purchase a cybersecurity liability insurance policy to protect your business in the case you are sued. Most business insurance policies do not go far enough to protect your business in this area.

Organizations have experienced a 176 percent increase in the number of cyber-attacks since 2010. Cyber-criminals are using every network-connected device as an access door. No one wants their name in the news when it comes to cyber breaches. The impact on your reputation and cost to your company will far exceed the investment to secure your business practices proactively.

Please connect with me on LinkedIn and I would be happy to share more insight on this topic.

Paul Cronin is a facilitator of excellence at CroninCorp and serves on the boards of several industry vendor and partner advisory councils. Paul’s consulting services help integrators accelerate growth and create a culture that embraces change. Connect with Paul on LinkedIn or contact him at Paul@cronincorp.com.

PSA Security Network is one of the nation’s leading sources for education, training, and industry networking events. With multiple settings and events throughout the year to meet and exchange industry knowledge, there is something for everyone.

The Electronic Security Expo, owned by ESA, is designed to help electronic security pros to network with other like-minded professionals and to educate about improving your company’s efficiency and productivity