Cybersecurity is a shared responsibility

Timo Sachse

Everyone agrees that cybersecurity is important. However, it is also an ongoing process.

Nothing man-made is ever 100% secure – intentional backdoors are bad design and show a significant lack of understanding around the basics of a cyber secure world and programming mistakes cannot be avoided completely.

Cybersecurity is a shared responsibility, none of the stakeholders in the market can fight cybercrime alone, we all need to work together to get ahead in the cyber game.

Let’s take a look at the different responsibilities of the different stakeholders:

The user

The main responsibility of the user is to pay for cybersecurity measurements. This can either be done in a “DIY” way, meaning the IT department applies fixes themselves, or to pay an integrator/installer to look after maintenance.

A system’s lifespan is easily 10-15 years. Assuming that nothing needs to be done to keep the system in a good shape is very short sighted.

The integrator / installer

This stakeholder plays an essential role in the cyber game. The integrator/installer needs to ensure that all his/her own devices, laptops, mobile devices etc. are patched with the latest updates for the OS and run a sophisticated virus scanner. Selected passwords should be complex enough and individual at least per customer and site. The general habit to use one master password to make the service of the devices easier has to be avoided. Remote access to installations should be limited and all devices being connected to the customer’s system should be checked very carefully for viruses to avoid any kind of infection.

One thing which in today’s world is done very rarely is the maintenance of video surveillance software and connected hardware. Once installed these systems typically are only updated if more devices are added or additional functionality is requested from the user.

Without maintenance the cybersecurity will very likely decrease over time. The probability is almost 100% that a vulnerability will be found in the system’s context, meaning the OS, the software or the hardware. Even though the risk seems low, every known vulnerability should be fixed. In most cases an instant application of the fix is not necessary, but a bi-annually systemwide update is strongly recommended.

It is the responsibility of the integrator to inform their customers about this procedure, which is the non-IT minded security industry not well known.

The consultant

Another essential component is the work of the consultants, the ones specifying the components for security systems.

They need to not only specify the right product features and properties, they also have the responsibility of specifying maintenance for the system’s lifetime. By doing so they can highlight the essential importance of keeping the system updated and also be transparent about the potential cost for doing so.

However, in the context of OEM/ODM devices being installed, it is very difficult to guarantee this maintenance aspect and most customers would not buy a system for which maintenance is a game of chance.

The distributor

For a pure distributor, the topic of cybersecurity is very simple. They are just handling the logistics and do not touch the product itself.

However, value-add distributors need to consider the same aspects as integrators or installers do (see above).

For those distributors who also resell so called OEM/ODM devices, devices they buy from a manufacturer and relabel under another (or own) brand, a whole different set of rules apply.

First and foremost, transparency is key: They need to let their customers know what they are buying. Without this transparency it is typically the price which influences the customer’s buying decision the most.

They also need to guarantee to supply firmware upgrades in case of vulnerabilities of their original supplier. The habits of the industry show that a detected vulnerability in the original suppliers’ devices is, typically, not fixed in the devices of their many OEM partners.

The manufacturer

Their responsibilities are relatively simple to understand:

  • Do not include any intentional aspects, like backdoors, hard coded passwords etc.
  • Supply the right tools to make cyber management for many devices as simple and affordable as possible
  • Educate others about the risks and how to avoid them, both internally and externally
  • Record relevant aspects in hardening guides or other documentation
  • Enable the use of standard mechanisms make devices as secure as possible
  • Inform the partners and channel about vulnerabilities and available patches

The researcher

Vulnerabilities are very often discovered by researchers and not by hackers. Based on the type of the vulnerability, these researchers decide the next steps to take. If the vulnerability is not intentional, they contact the manufacturer and give them a certain amount of time to fix the vulnerability before publishing it. But if it is a critical vulnerability with intentional character, like a backdoor, they instantly go public to raise the awareness amongst the users of those product.

The consumer

Our own behaviour is also a key aspect to a cyber mature mindset. How often do we change the router’s password? How complex are our own passwords? Do we use different passwords or one “master” password for most of the applications? Lazy user behaviour is still one of the biggest benefits for the hackers. Simple to guess passwords and ones that are used across all logins put consumers at risk of having their accounts hijacked.

One stakeholder alone cannot accomplish the mission to make and keep a system cybersecure. Only by having all stakeholders take responsibility for keeping data safe will we be successful in fighting cybercrime.

 

Interested in more angles of cybersecurity? Read Secure Insights latest blog posts about the topic.