Data breaches are an unfortunate part of the reality of doing business in the digital age, with even the most venerable of companies being tangled up in what can be a mess.
Yahoo, Capital One, Marriot, Equifax, eBay, JP Morgan Chase and Home Depot have made headlines in the last decade for customer information falling into the wrong hands. Even Target was the victim of a data breach in 2013.
However, the Target breach was hardly the retailer’s fault. An HVAC company that had access to the company’s network was infiltrated, giving hackers access to the credit and debit card information of 40 million customers.
Pro AV integrators are installing systems that are increasingly plugged into their customers’ networks, so security of your own network is becoming one of the most important things to consider in 2020.
A robust cybersecurity plan is increasingly becoming a requirement
According to Rob Simopoulos, co-founder of cybersecurity software firm Defendify, the security teams of AV integrators’ customers are beginning to realize the highly specialized experts are plugging into their network and opening themselves up to vulnerabilities.
Now, AV integrators are being hit with a long checklist of cybersecurity best practices, policies and procedures before a customer grants them a contract.
“I’ve seen questionnaires hundreds of questions long,” Simopoulos said, adding that these requirements are being built right into RFPs.
Integrators are asked if they’ve ever tested their own network for vulnerabilities, if they train their team on cybersecurity and if they have set policies and plans around cybersecurity.
While big companies will make headlines when they announce a data breach, it’s small businesses that are becoming a favorite target of hackers. According to the Ponemon Institute, 76% of small and medium-sized U.S. businesses surveyed said they were the target of a cyber attack, according to a 2019 report. That’s up from 55% in 2016.
AV integrators should ask the manufacture how to configure devices
Integrators have a huge catalog of IP-connected devices at their disposal, but integrators aren’t great about configuring those devices in the most secure way, Simopoulos said.
“[Integrators] should really be talking to the manufacturers of these devices to understand how to configure them before they’re deployed on customer networks,” he said.
Many of those same devices require security updates and patches, but then it becomes a question of who is responsible for applying that update or patch.
As integrators begin to take on the role of a managed service provider, this could be a part of the service contract, Simopouolos suggested.
“They can go out there and provide it as a managed service to help customers be more secure,” he said.
Policy and procedures, training and testing
Thanks to horror stories from colleagues of different companies and recent conferences focused on cybersecurity, California-based AV integrator ClearTech Media now takes cybersecurity as serious as anyone.
The firm holds regular training and runs unannounced phishing email simulations. If an employee clicks on a phishing email link, they have to watch a video on cybersecurity best practices.
According to De Bono, she gets 1,000 phishing emails a month. Luckily, the company has not discovered any data breaches. However, an employee’s email was recently spoofed to ask a client to reroute payments to a different account.
It took just minutes to diagnose the problem once the company noticed, De Bono said.
Although a concern, that pales in comparison to other attacks on AV integrators, including one referenced by De Bono where a company was frozen out of every essential system for weeks for a $500,000 ransom
“For a small business like ours, it can put us out,” De Bono said. “It can completely kill our company.”
Not only should employees be tested for their cybersecurity skills, but your own network should be tested as well, Simopoulos said, saying that the organization needs to buy in to cybersecurity and adopt it as part of the company culture.
Two-factor authentication can be time-consuming and inconvenient, but it’s one of the first steps companies should take to shore up their network security, Simopoulos said.
Beyond that, companies should test their own network for vulnerabilities and conduct ethical hacking to identify any weaknesses.
“It’s a lot more than just antivirus and firewalls,” Simopoulos said. “It’s really getting into the procedure side of the organization to make sure you’re protected.”