Cybersecurity is Everybody’s Business

By Christian Morin
Chief Security Officer and Vice President Integration and Cloud Services, Genetec Inc.

Trends, Topics and Technologies

Earlier this year, Genetec surveyed 1,500 security professionals and found that 67% of them are prioritizing cybersecurity in 2021. This is up from just 31% at the end of last year. The increase is not surprising.

According to RiskBased Security, data breaches exposed 36 billion records in the first half of 2020 alone. But, prioritizing cybersecurity does not require that security professionals become proficient overnight. In fact, taking a collaborative approach and working with the existing experts within their organization can yield better results.

Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) have been keeping their networks safe for a long time. Effectively protecting sensitive data means developing and implementing a comprehensive cybersecurity strategy aimed at reducing attack surfaces that can make a network vulnerable. But this is difficult to do if CIOs and CISOs do not have a complete picture of their network assets. One technology stack that is often overlooked is the hardware and software that makes up an organization’s physical security systems.

Physical security of the past consisted of physical assets like perimeter fences and locks on doors. The attitude was ‘install what you need and let it do its job.’ As security changed, this mindset persisted within many organizations. Even as they began implementing IP-based technology and Internet of Things (IoT) devices, they didn’t always think about how these assets might make their networks vulnerable. In many instances, even though a physical security system resides on an organization’s network, it is managed by corporate security instead of the IT department.

But physical security and information security are linked. If someone can physically access an organization’s server rooms, they can do anything they want. Similarly, if someone is able to hack into an organization’s network, whether through a video surveillance camera, a piece of HVAC equipment, or an employee’s laptop, they can also do what they want. The challenge is to get physical security and IT to work together because safeguarding an organization’s network infrastructure is everyone’s responsibility.

What can CIOs and CISOs do to Harden the Networks?

One of the first steps CIOs and CISOs can take is to create a proper asset inventory of all physical security software and hardware, including intrusion detection software and access control readers. You can’t protect your network if you don’t know what’s on it.

Once you know what you have, you need to ensure that all of the software on your devices is up to date. If there are devices on the network that are no longer supported, there are measures an organization can take to isolate them to limit risk and exposure.

In addition to keeping software up to date, it is also important to ensure proper maintenance on devices. In the physical security world, we often see a set-and-forget mentality, which can lead to an organization not investing enough in maintaining hardware over time. Without proper maintenance and best practices, a physical security system can increase network vulnerability.

Strong cybersecurity governance also requires implementing policies that ensure single sign-on rather than shared accounts. Unfortunately, some security teams have admin accounts that are accessed by everyone, which makes both traceability and accountability virtually impossible.

It is also important to ensure that all devices have strong passwords. According to Verizon, 80% of successful cyberattacks are a result of weak or vulnerable passwords. While policies can help, choosing devices that require passwords to be reset at installation means that unauthorized access can’t happen using a product’s default password.

For CIOs and CISOs, maintaining the overall security of their organization’s network is key. One important aspect of an effective cybersecurity strategy is developing clear guidelines governing network and IoT best practices. Another is establishing a strong partnership between physical security teams and IT departments. Because our networks are connected, our departments should be too.