Cybersecurity is (still) a shared responsibility
This is an updated version of a blog post I wrote nearly three years ago. That so much of it is still relevant today is evidence – if any were needed – that cybersecurity continues to be an ongoing journey rather than a destination.
The number of blog posts my colleagues have drafted in the past years on the subject of cybersecurity also demonstrates the continual evolution of both the ‘attack vectors’ used by cybercriminals, but also the ways in which we can counter them.
Nothing man-made is ever 100% secure – programming mistakes cannot be avoided completely – and any processes that rely on human beings are naturally flawed. Because we are.
Cybersecurity is a shared responsibility, none of the stakeholders in the market can fight cybercrime alone, we all need to work together to stay ahead of those with criminal intent.
Let’s take a look at the varying responsibilities of the different stakeholders involved in the cybersecurity ‘chain’, which is only as strong as its weakest link:
The main responsibility of the user – the person with the responsibility to run the solution – is to make the appropriate investments in cybersecurity. This can either be done in a “DIY” way, meaning the IT department applies fixes themselves, or to pay an integrator/installer to look after system maintenance. A system’s lifespan is easily 10-15 years. Assuming that nothing needs to be done to keep the system in a good shape during that time is short-sighted at best, and quite naïve.
The integrator / installer
This stakeholder plays an essential role in cybersecurity. The integrator/installer needs to ensure that all their own devices, laptops, mobile devices etc. are patched with the latest updates for the OS and run a sophisticated virus scanner.
Selected passwords should be complex enough and individual to at least per customer and site. The general habit to use one master password to make the service of the devices easier has to be avoided. Remote access to installations should be limited and all devices being connected to the customer’s system should be checked very carefully for viruses to avoid any kind of infection.
The maintenance of video surveillance software and connected hardware is still something that is undertaken too rarely or infrequently. Once installed these systems typically are only updated if more devices are added or additional functionality is requested from the user.
Without regular maintenance, cybersecurity will decrease over time. The probability is almost 100% that a vulnerability will be found in the system’s context, meaning the OS, the software or the hardware. Even though the risk seems low, every known vulnerability should be fixed. In most cases an instant application of the fix is not necessary, but a bi-annually systemwide update is strongly recommended.
It is the responsibility of the integrator to inform their customers about this procedure, which in the non-IT minded security industry is still not as well-known as it should be.
Another essential component is the work of the consultants, the people specifying the components for security systems.
Consultants need to not only specify the right product features and properties, they also have the responsibility of specifying maintenance for the system’s lifetime. By doing so they can highlight the essential importance of keeping the system updated and also be transparent about the potential cost for doing so.
However, in the context of OEM/ODM devices being installed, it is very difficult to guarantee this maintenance aspect; most customers would not buy a system for which maintenance is a game of chance.
For a pure distributor, the topic of cybersecurity is very simple: they are just handling the logistics and do not touch the product itself. However, value-add distributors need to consider the same aspects as integrators or installers do, as described above.
For those distributors who also resell so called OEM/ODM devices, those they buy from a manufacturer and relabel under another (or own) brand, a whole different set of rules apply.
First and foremost, transparency is key: They need to let their customers know what they are buying. Without this transparency it is typically the price which influences the customer’s buying decision the most.
They also need to guarantee to supply firmware upgrades in case of vulnerabilities of their original supplier. The habits of the industry show that a detected vulnerability in the original suppliers’ devices is, typically, not fixed in the devices of their many OEM partners.
The manufacturer’s cybersecurity responsibilities are relatively simple to understand:
- Do not include any intentional aspects such as backdoors, hard-coded passwords etc.
- Supply the right tools to make cyber management for many devices as simple and affordable as possible
- Educate others about the risks and how to avoid them, both internally and externally
- Record relevant aspects in hardening guides or other documentation
- Enable the use of standard mechanisms make devices as secure as possible
- Inform the partners and channel about vulnerabilities and available patches
Vulnerabilities are very often discovered by researchers rather than hackers. Based on the type of the vulnerability, these researchers decide the next steps to take. If the vulnerability is not intentional, they contact the manufacturer and give them a certain amount of time to fix the vulnerability before publishing it. But if it is a critical vulnerability with an intentional character, like a backdoor, they instantly go public to raise the awareness amongst the users of those product.
Our own behavior is also a key aspect to a cyber mature mindset. How often do we change our router’s password? How complex are our own passwords? Do we use different passwords or one “master” password for most of the applications and online services we use? Lazy user behaviour is still one of the biggest benefits for the hackers. Simple to guess passwords and ones that are used across all logins put consumers at risk of having their accounts hijacked.
A single individual alone cannot accomplish the mission to make and keep a system cybersecure. Only by having all stakeholders take responsibility for keeping data safe will we be successful in fighting cybercrime.
Read the Axis Cybersecurity eMagazine for more cybersecurity insights and inspiration.