In a period of history that seems to be increasingly rich in irony, there was something strangely perfect about the theme of this February’s RSA Conference in San Francisco – one of the world’s most well-attended cybersecurity events – being ‘The Human Element’. The troubling emergence of coronavirus has reminded everyone about the enduring destructive potential of physical viruses, but even though this was inevitably a topic on the showfloor there was also reportedly much discussion of online threats – with sources of concern ranging from Internet of Things devices to organised gangs and governments.
The popularity of RSA and other cybersecurity events underlines the extent to which this has lately become a prominent issue throughout the professional world. In individual countries, major security-breach cases have served to flag up the topic at organisations in both public and private sectors. In the UK, James Bayliss – technology experience engineer at systems integrator Vanti – cites one particular ransomware attack as a catalyst for new enquiries.
“Organisations are now very aware of the imminent risk to the critical infrastructures and services,” he says. “After the NHS England WannaCry outbreak in May 2017, we have seen a sharp increase in organisations looking to implement different security solutions including disk encryption, multi-factor authentication, and stricter system patching policies to prevent out of date systems being compromised.”
But, as we shall see, it’s not all positive and there are still plenty of businesses out there who have (at best) a fractured approach to cybersecurity. This should be a cause of concern for everyone as the interconnectedness of organisations grows and the number of potential threats – ranging from phishing attempts and malware to the widespread adoption of Internet of Things (IoT) and Bring Your Own Device (BYOD) within institutions – continues to rise.
Lay of the land
Most contributors concurred that the number of enquiries about security provisions has increased dramatically during the last few years. This can be variously attributed to factors such as bad experiences, improved awareness and the very real threat of penalties related to new regulations – most significantly, the EU’s General Data Protection Regulation 2016/679 on data protection and privacy, which came into effect in May 2018.
John Pavlik, senior director systems engineering at Crestron, comments: “We can see a huge increase in the number of people and companies that are taking cybersecurity seriously, which is a good thing as we all have to make an effort to reach increasingly better and more open security measures. The difference is striking. Five years ago, I received maybe two security questions per month; now I receive four or five each day. People are asking questions, [as well as] doing their own research and testing. They don’t just assume that everything is secure anymore.”
For Pavlik, two specific developments have been instrumental in effecting change. “A large part of it has to do with the convergence between AV and IT,” he says. “Now that AV is part of the IT infrastructure, there’s a higher demand for secure, impenetrable technology. Another factor is that the GDPR requires complete openness on data breaches. As breaches at other companies become common knowledge, our customers want to make sure that we – and they – live up to the regulations and are doing their due diligence.”
“After the NHS England WannaCry outbreak in May 2017 we have seen a sharp increase in organisations looking to implement different security solutions” James Bayliss, Vanti
The fees now being handed out to organisations who breach GDPR must surely be serving to focus minds. Recent data published by Computer Disposals Limited (https://www.computerdisposals.co.uk/blog/mapped-every-gdpr-fine-and-enforcement-action-to-date/) reveals not only the scale of the fines imposed so far, but also the extent to which they can vary from country to country. While Spain’s 38 infractions constitute the highest in the region, their collective cost was just over 1 million euros. In the UK, there were only three violations, but they involved high-profile organisations (eg. British Airways) and totalled 315,210,200 euros.
James Bayliss points to an upturn of activity in network protection and the role played by several specific threats in encouraging more action in education. More and more, he says, “stricter network measures are in place to prevent unauthorised physical and remote access, with intrusion detection systems monitoring and taking preventative measures when needed automatically. Also, the education sector has seen an increase in phishing/spoofing campaigns in order to access personal and sensitive data. This has resulted in these establishment increasing investment in next-gen firewalls with advanced intrusion detection and prevention systems.”
You may also be interested in:
- Analysis: British companies failing at basic IT security practices
- What to do following a data breach
- AV security: the new imperative for success
Elsewhere, there are voices who issue a less positive view of the current situation. Joel Chimoindes, VP Europe for Maverick AV Solutions, indicates that there is still much to be done, but feels that IoT could actually prove to be an important spur to action. “Security is a huge issue throughout the AV estate and an area which still isn’t being taken seriously enough in comparison to the devices being deployed,” he says. “We are able to call on our security teams to provide diagnostics on networks and recommendations for their improvement, which has been a large area of growth in the last 12 months. As we bring IoT throughout a network, as long as it is correctly deployed and secured then this could be the turning point which brings together all the elements with security at the core.”
Spiros Andreou is the service delivery manager at systems integrator CDEC with responsibilities including privacy and GDPR governance, ISO 27001 implementation and
compliance, IT auditing, incident management and risk assessment. “My background is in IT cybersecurity and governance, and I have been working in AV for about three years,” he notes. “Every year at some point I rail in the sector press about AV devices and cybersecurity, and unfortunately my impression is that it is still not being taken seriously. There is still a lack of movement among many organisations in terms of treating the devices and the configurations as if they are in any way important to institutional security.”
He has several theories as to why this is the case, but highlights an enduring idea about AV that has survived well into the era of convergence. “The heritage of AV was always focused on standalone equipment and it was very isolated without anything to do with IT,” he says. “As we have gone into more modern, converged IT/AV environments, I think a lot of organisations still don’t see [the threat relating to AV] as particularly high-risk when compared to some other threats, such as phishing attacks and the hacking of customer data.”
Implementing a security strategy
Whilst the extent of action taken by organisations evidently differs sharply in some cases, there is relative uniformity when it comes to guidance for those companies who are prepared to invest the time and resources in a long-term, unified cybersecurity security strategy.
For Bayliss, the top items on the list should include the securing of cloud applications. He urges “ensuring that users are provisioned with multi-factor security, regardless if they only have the lowest level of given access. [Also] ensuring that corporate devices meet a level of compliance before being able to access the network and applications; this includes network AV equipment…”
Providing employees with regular reminders and training sessions should also be part of the plan. “Security awareness training can give users the understanding of the importance of data security, and having the governance to back it up is essential in a strategy,” comments Bayliss.
For his part, Andreou says it is generally the case that “those clients for whom [cybersecurity] is a real concern will have already taken the time to evaluate the different technologies available for [a specific requirement].” He cites the recurring example of wireless presentation systems, where clients will “perhaps have looked at three or four options and then made a decision based on which one meets their policies with regard to security.”
Once the system choices have been locked down, the emphasis will then be on “working hand in hand with the client to make sure their network is configured in such a way as to not expose them to serious risk. It’s also important to support their security policy” and help them implement effective precautions in terms of ongoing governance and reporting: “New threats are coming out all the time so there has to be a structure to remain one step ahead.”
Separate network scenarios
The growing number of threats, as well as some of the issues arising from unified networks, have led some to question where there is still a serious case for separate network environments. Whilst Andreou feels that converged networks can often be the way forward, there remains a strong argument for separation in “any heavily regulated industry, such as banking, finance and legal; basically, any space where there is a need to report to regulators.”
In such instances “we would recommend that clients consider when and how their devices would be used, and would ensure that any proposal put forward would satisfy the regulator and be able to respond quickly enough to any changes in the cybersecurity environment.” He cites smart TVs as a theoretical example, suggesting that one or more regulator could ultimately decide that some devices are no longer compatible with industry best practice.
Andreou also agrees with the suggestion that the rise of voice assistants, increasingly driven by AI and facilitating massive data collection, could cause serious problems in heavily regulated sectors. As well as the data implications, “it could be that VAs receive firmware updates in the future that involve additional functionality that companies are not aware of. It is easy to imagine features being enabled [without specific approval] that include third parties being in receipt of information that companies would not want them to have.”
From a vendor perspective, Pavlik also indicates that there are pros and cons of convergence, but emphasises that the end-result can be profoundly affected by the actual users of the technology. “One of the principles of defence in depth says that technology and people should only have access to the resources they need in order to function,” he says. “So from a general policy standpoint it makes sense to remain on a separate network, depending on what information is available on the network. That way the AV network tends not to have personally identifiable information data or financial data. It is used to send video and audio. And while it is important that this is done in a secure way, the vast majority of data that needs to be protected is on the rest of the network.
“On the other hand there are benefits to having devices on the same network – whether it it is the ease of centrally managing devices and updates, or new features like [Crestron’s] AirMedia technology, which provides digital signage, calendaring and presenting via the corporate WiFi network.”
“Five years ago, I received maybe two security questions per month; now I receive four or five each day” John Pavlik, Crestron
Ultimately, it must be down to organisations to “make their own decisions about how to segment their networks”, with SIs and vendors alike doing everything they can to provide useful advice, instruction and training.
The IoT factor
In general, companies making professional-grade products have been one step ahead of the curve in terms of improving security and seeking compliance with exacting standards. For example, Pavlik says Crestron has been “investing millions into the development of secure products for years now” and points to its DM NVX being “the first and only AV-over-IP technology to receive Joint Interoperability Test Command (JITC) approval by the U.S. Department of Defense Information Systems Agency (DISA), and FIPS 140-2 validation by the NIST (National Institute of Standards and Technology), an agency of the U.S. Department of Commerce, which clears the way for DM NVX to be safely deployed in the most secure information network infrastructures.”
But what of the imminent prospect of numerous IoT products derived from the consumer space being added to professional networks? Whilst not underestimating the potential risks, Pavlik takes a fairly positive view: “More devices doesn’t necessarily increase the risk. Sure, the problem theoretically becomes worse, as a security risk in a percentage of a million of products is more than a risk in a percentage of 1,000 products. But it’s a matter of making sure that end-users and professionals are well-versed in how to install a product in a secure fashion. It’s our job as manufacturer to make sure that our products are secured and do better than the industry standards in every aspect. At the same time, we see that our customers are doing their due diligence and we are happy to help them.”
Andreou has serious concerns about the implications of IoT for professional installations, citing examples such as “very cheap devices that can be bought these days, like thermometers, that come with a network port but have been developed without much thought given to security and can therefore cause major problems when they are compromised.” And once a weakness has been detected, an attacker can seek to capitalise on that by “becoming very persistent in terms of continually attacking services on a network. Once that has happened it may be that you are well and truly ‘owned’, and you need to evaluate whether you get in your car, go home and never come back!”
Final word on the subject to Bayliss, who raises some questions that are surely pertinent to any organisation thinking about implementing IoT products: “How secure is the connection between the device and its cloud platform? What measures are in place to stop unauthorised access? How often are updates? What happens with the data that has been collected? Can the manufacturer use the data for analytics to sell other products? All of these concerns should be addressed before considering any implementation. Your network and data are yours, and not someone else’s. Don’t let someone control your BMS from your occupancy sensor!”
In recent weeks the rapid spread of coronavirus has already led to companies, schools and other organisations temporarily closing their doors and undertaking other preventative measures. With increasing talk of serious economic impact – even a worldwide recession – if the situation worsens, a cybersecurity review is surely one of the most beneficial damage-limitation exercises an organisation can undertake right now. Certainly, a company that can implement and demonstrate its commitment to protecting its assets and those of its customers will be better-placed to withstand both current threats and whatever new ones emerge during this deeply unsettling period in global history.