Aware but not prepared – companies struggle to build their cyber defenses
Cyberattacks have been dominating recent news with attacks against diverse targets, from airlines and health providers to city councils and banks. However, it seems like many businesses are not keeping up with the cybercriminals. Along with our partner Genetec, we recently conducted a survey of 175 end users of video surveillance systems, to better understand the state of cybersecurity.
Here are the main findings:
- Many companies today are aware of cybersecurity and its potential impact. In fact, 87% of respondents say their companies prioritized cybersecurity as a serious risk to their operations;
- However, only a minority of companies (15%) feel they are adequately prepared to mitigate cyber threats;
- While 76% of respondents stated that physical protection of assets and safety were their main responsibilities, none of them mentioned internal attack factors as a threat to cybersecurity compared to legacy systems;
This last insight, however, is in stark contrast with international research findings, which identify accidental or deliberate human mistakes, poorly configured systems and poorly maintained systems as the most common weak points. The IBM X-Force Threat Intelligence Index 2018, for example, attributes to human error two-thirds of compromised records. This is backed up further by earlier IBM research findings, which attribute more than 95% of all successful breaches to these internal factors.
Another interesting finding was that around 60% of respondents lay the blame on legacy systems. While these systems are a clear weakness, cyber threats are actually just as relevant for recently deployed firmware and software versions as for older ones. After all, nothing man-made can ever be 100% secure.
This suggests a common misconception: that product security is the only way to mitigate vulnerabilities and threats. On the contrary, companies need to manage cyber risks across many dimensions, both human and machine-to-machine. That’s because cybersecurity is a shared responsibility spanning users, maintainers, installers, manufacturers, consultants and more.
System users and administrators need clear policies, processes and procedures in place to ensure that correct security measures are performed on a daily basis. Which devices and systems exist? Who is responsible for them? When and how to maintain them? The focal points are then found in designing, deploying and maintaining cybersecure systems. Typically, this means consultants need to recommend the right cybersecurity features and properties over the system’s lifespan. Those responsible for deploying and maintaining a system are typically integrators, installers or specialist consultants; they need reliable processes of sourcing and deploying video surveillance systems, devices and components— as well as for maintaining all related security systems.
For device manufacturers this means:
- Applying cybersecurity best practices in the design, development and testing of products to minimize the risk of flaws that could be exploited in an attack.
- Providing clear instructions on how products are to be securely deployed and maintained.
- Supplying device management tools that enable simple and affordable means to apply cybersecurity controls, like managing a device inventory, passwords, firmware upgrades, and HTTPS and IEEE 802.1x certificates among the others.
- Promptly informing partners and channels about vulnerabilities and available patches when critical vulnerabilities are discovered.
Many survey respondents seem to lack a holistic approach for managing all the various cyber threats they can encounter. Meanwhile, some are seemingly influenced by the latest cyberattack headlines. However, most newspapers and news outlets focus on sophisticated attacks, which of course use compelling headlines that help sell subscriptions. Little space is given to the most common risks: deliberate or accidental misuse of the system, poorly configured systems and poorly maintained systems.
Tackling these risks requires a far more practical and constant approach, such as working closely with people properly trained in cybersecurity, as well as setting clear and actionable policies, processes and procedures for every aspect of the system. Adapting this holistic mindset is the only effective way to manage all the various types of cybersecurity threats.
Maybe you’re already on the path of better cybersecurity, or maybe you have just started realizing its importance. Either way, what matters most are the actions you and your organization take every day.
Unsure about where start?