Thanks to a recent spate of ransomware attacks and other cyber threats, the world is now finally waking up to the realization that no company, organization, or entity is immune from these attacks.
For integration firms, not having a robust cybersecurity posture and plans and processes for when malicious activity is discovered could cost you business.
For example, take President Joe Biden’s recent executive order on improving the nation’s cybersecurity, which calls for greater visibility into the security of the products and services being utilized by federal agencies, or the DHS’ cybersecurity regulations for pipelines.
While those pieces of news may not actually impact integrators directly, Washington’s clamping down on cybersecurity sends a message to corporate world that everyone is at risk and cybersecurity needs to be taken seriously. Now, customers want to know about your cybersecurity chops.
New requirements from customers
Jim DeStefano, senior vice president of integration firm Unlimited Technology, said during a recent Defendify webinar his company has been seeing a lot of requirements come down from customers in critical infrastructure. He didn’t mention any specific attacks, but it is noteworthy that his comments came after the Colonial Pipeline ransomware incident.
“Especially in that vertical, we’re seeing a lot of requirements come down,” he said.
DeStefano mentioned the upcoming Security Industry Association’s cybersecurity certification that was developed wit the help of PSA that could require your company to have staff trained and certified.
Likewise, the healthcare industry is also beginning to mandate that its service providers be as cyber resilient as humanly possible, said Matt Thorne, executive vice president of Electronic Contracting Company.
“When you’re installing nurse call stations, you’re dealing with patient data, so they want to see how you’re going to handle that … because if we need to be able to trust you with this data, there’s a lot of liability to think about,” Thorne said.
Integrators being pressed in new ways
During the webinar, Tom LeBlanc, director of industry outreach for NSCA, said integrators are being asked about their cyber defenses and ability to secure their information in a few different ways, including “testing the waters” with integrators to see how loose lipped they are about sensitive information.
“In other words, if you don’t do a good job communicating with your customer being really careful about the information you’re going to disclose to your customer, that customer has to be thinking, ‘Well, you know, he’s not going to be careful with my critical information as well.’”
Integrators should think of these meetings as job interviews as customers are analyzing your credibility and technical knowledge.
Customers now also want to know about your specific policies and procedures in the event of a breach, and some are even requiring that you have some kind of cybersecurity certifications.
Currently, government, healthcare, defense and other mission critical organizations are demanding that integrators prove that they are secure, but that will soon bleed into the rest of the business world as cyberattacks escalate indiscriminately.
“You will see a lot more of that,” LeBlanc said. “it’s not going to diminish – it’s going to escalate, and it’s going to expand from what you might think of now as a mission critical project, to almost every project you’re going to be working on.”
New laws and regulations coming
In addition to executive orders and regulations from the federal government, there are also a host of bills having to do with cybersecurity and the Internet of Things pending before Congress and a handful of state legislatures that could impact how integrators work with various customers.
According to NSCA’s legislation tracker, there are seven such bills before Congress and state legislative bodies, including bills that aim to protect the cybersecurity of small businesses, bills that require breaches to be disclosed, bills that implement cybersecurity standards in state governments and bills that establish state-level cybersecurity commissions.
“We believe that will start to see more and more regulations that require contractors, such as integrators, who install systems on a network, to have to have cybersecurity training and certification,” LeBlanc said.