Cybersecurity is (still) a shared responsibility

The cyberthreat landscape is continuously evolving. Following recent geopolitical events, we have seen the landscape shift from mostly opportunistic to much more targeted and organized. The emergence of new cybercriminals and ‘attack vectors’ means any networked products and services are now at potential risk of attack. Whether this is unauthorized access, exploitation of vulnerabilities, or tampered software, these threats could pose a significant risk to your system.

Reducing the risk of a cyber incident requires advanced technologies and tools, as well as an understanding of best practice. Underpinning this is the idea that, cybersecurity is a shared responsibility. We cannot tackle cybercrime alone; we each need to work together to stay ahead of those with criminal intent and minimize threats.

In this blog, we take a look at the varying responsibilities of the different stakeholders involved in the cybersecurity ‘chain’, which is only as strong as its weakest link.

The user / system owner

The main responsibility of you as system owner is to make the appropriate investments in cybersecurity. This can either be done in a “DIY” way, meaning your IT department applies fixes itself internally. Alternatively, you can opt to outsource to an integrator/installer to look after your system maintenance.

However, a system’s lifespan is easily 10-15 years. Assuming that nothing needs to be done to keep the system in a good shape during that time is short-sighted at best, and quite naïve.

The integrator / installer

As an integrator or installer, you play an essential role in cybersecurity. You need to ensure that all your own devices, laptops, and mobile devices are patched with the latest updates for the OS and run a sophisticated virus scanner.

Selected passwords should be complex enough and individual to at least per customer and site. The general habit to use one master password to make the service of the devices easier has to be avoided. Remote access to installations should be limited and all devices being connected to the customer’s system should be checked very carefully for viruses to avoid any kind of infection.

The maintenance of video surveillance software and connected hardware is still something that is undertaken too rarely or infrequently. Once installed, these systems typically are only updated if more devices are added or additional functionality is requested from the user.

Without regular maintenance, cybersecurity will decrease over time. The probability is almost 100% that a vulnerability will be found in the system’s context, meaning the OS, the software or the hardware. Even though the risk seems low, every known vulnerability should be fixed. In most cases, an instant application of the fix is not necessary, but a bi-annually systemwide update is strongly recommended.

It is your responsibility of  to inform your customers about this procedure, which in the non-IT minded security industry is still not as well-known as it should be.

The consultant

Another essential component is the work of you as a consultant, given you are responsible for   specifying the components for security systems.

You need to not only specify the right product features and properties, you also have the responsibility of specifying maintenance for the system’s lifetime. By doing so, you can highlight the essential importance of keeping the system updated and also be transparent about the potential cost for doing so.

However, in the context of OEM/ODM devices being installed, it is very difficult to guarantee this maintenance aspect; most customers would not buy a system for which maintenance is a game of chance.

The distributor

For a pure distributor, the topic of cybersecurity is very simple: you are just handling the logistics and do not touch the product itself. However, as a value-add distributor, you need to consider the same aspects as integrators or installers do, as described above.

If you also resell so called OEM/ODM devices, those you buy from a manufacturer and relabel under another (or own) brand, a whole different set of rules apply.

First and foremost, transparency is key: you need to let your customers know what they are buying. Without this transparency, it is typically the price which influences the customer’s buying decision the most.

You also need to guarantee to supply firmware upgrades in case of vulnerabilities of your original supplier. The habits of the industry show that a detected vulnerability in the original suppliers’ devices is, typically, not fixed in the devices of their many OEM partners.

The manufacturer

Your cybersecurity responsibilities as a manufacturer are relatively simple to understand. You create the tools and technology that can make it more difficult for cyber incidents to occur in the first instance, with the development of built-in cybersecurity features in products that help protect user systems from attack. As a responsible manufacturer, you can even invite third-party, ‘ethical hackers’ to find eventual vulnerabilities in your products to ensure they are secure.

This not only reduces risk, it also saves your customers from the high costs associated with a cyberattack, and supports their in-house security operations teams in monitoring for and detecting potential threats.

In terms of some topline reminders when it comes to cybersecurity best practice:

  • Do not include any intentional aspects such as backdoors, hard-coded passwords etc.
  • Supply the right tools to make cyber management for many devices as simple and affordable as possible
  • Educate others about the risks and how to avoid them, both internally and externally
  • Record relevant aspects in hardening guides or other documentation
  • Enable the use of standard mechanisms make devices as secure as possible
  • Inform the partners and channel about vulnerabilities and available patches

The researcher

Vulnerabilities are very often discovered by researchers, rather than hackers. Based on the type of the vulnerability, you decide the next steps to take. If the vulnerability is not intentional, you contact the manufacturer and give them a certain amount of time to fix the vulnerability before publishing it. But if it is a critical vulnerability with an intentional character, like a backdoor, you instantly go public to raise the awareness amongst the users of those product.

The consumer

Our own behavior is also a key aspect to a cyber mature mindset. How often do we change our router’s password? How complex are our own passwords? Do we use different passwords or one “master” password for most of the applications and online services we use? Lazy user behaviour is still one of the biggest benefits for the hackers. Simple to guess passwords and ones that are used across all logins put consumers at risk of having their accounts hijacked.

A single individual alone cannot accomplish the mission to make and keep a system cybersecure. Only by having all stakeholders take responsibility for keeping data safe will we be successful in fighting cybercrime.

Find out how Axis can help you take the right cybersecurity measures.