Get Your Head out Of the CyberSand
Security companies that sell peace of mind likely wouldn’t recover from a cyberattack as well as a company that just sells clothing and housewares.
Some sobering comments heard at a financial conference earlier this year related to trends in cybercrime and the difficulty that smaller security companies might face competing with security companies that are better prepared to protect customers. Dealers that may be very well qualified at designing, installing and monitoring physical security systems may simply fall short when providing those same customers with cyber protection, agreed experts on a cybersecurity panel at the Barnes Buchanan Conference held in February.
You might think it doesn’t matter -— after all, how does a simple alarm system with door contacts, motion detectors and a keypad invite or involve cybercrime? Physical security and cybersecurity are more intertwined than one might think. Even if you insist that your company’s products and services still exist in an analog-only world, where subscribers’ systems are not connected to the Internet and can’t be breached, then at least consider how you should protect the information that you collect and keep on them, such as credit cards.
“A security company, for years, wasn’t really involved in cybersecurity per se, and didn’t need the cybersecurity component almost. You’re talking micro switches on doors and phone lines used to transfer that information. But as security companies have gotten more cloud-connected and everything else, all of those practices become more important from a cyber perspective,” said Serge Jorgensen, president and founding partner of The Sylint Group, at the Barnes Buchanan Conference.
Tom Dennison, ADT Security Systems’ chief information security officer, also a panelist at the conference, related the world security dealers came from to the world they operate in today. “It was a very analog world. Ten years ago there were POTS and receivers and that was it,” he said. “Now with home automation it’s a whole different game. Beyond that it’s your customers’ data. You’re collecting their credit card, their home, their contacts, those kinds of things. You have a responsibility to the customer on that, and companies have to take that very seriously.”
It’s a mistake to think that cybercrime only happens to the other guy, or only happens to the big guys. Jorgensen said he has observed a trend in which attacks are now directed towards smaller targets.
“We’re seeing increasingly skilled organized crime groups that are benefiting from attack techniques and tools developed by nation-states to be able to launch more and more sophisticated attacks against infrastructure. And they are focusing their efforts on smaller and smaller infrastructures, and smaller and smaller businesses, because they’ve hit the big guys already. They’ve hit the Targets and Home Depots… and now they’re saying, ‘Who else? Who’s next on the radar?’”
Because security companies are held to a higher standard, Dennison thinks it might be more difficult for them to recover from a cyberattack. “Some of the larger companies have recovered fairly well. Target recovered pretty well from their breach, but they sell clothes and housewares. Security companies that sell security, peace of mind, probably won’t recover as well,” he said.
In a March 24 segment that aired on CBS This Morning, concerning a charge by the federal government against seven Iranians who used a cyberattack to attempt taking control of a New York dam, Perry Pederson, C|CISO, co-founder and managing principal at The Langner Group LLC, brought up an interesting subject. “I would be very concerned about a blended attack — one that uses cyber to perhaps soften the target, shutdown control systems or security systems, create openings that provide opportunity for physical attackers to then come on site,” he said during the CBS program.
The concept of a “blended attack” is both provocative and alarming.
At the time of this writing, ISC West is yet to occur, and I am looking forward to seeing the new Connected Security Expo at ISC West. If you miss it there, then check it out at www.connectedsecurityexpo.com.
With cybersecurity top of mind this year, you won’t find a lack of educational resources. TEC 2016, a training event hosted by PSA Security and open to everyone in the physical security industry, will be held in May and includes cybersecurity as one of its major tracks. Also stay tuned to SDM where you’ll get additional coverage in September in our cover story, “Developing a CyberSecurity Plan.”