Your Lack of Cybersecurity Diligence Is Costing You Business

IT directors protective of their networks aren’t likely to work with vendors that don’t demonstrate cybersecurity measures in their digital interactions. That probably means you.

Tom LeBlanc Leave a Comment
Your Lack of Cybersecurity Diligence Is Costing You Business

If your business lacks cybersecurity discipline, that’s obviously a bad thing from a security standpoint. But consider that it’s also terrible for your sales.

Can you confidently eat at a restaurant after noticing that its bathroom is a horrendous mess? Would you take fashion advice from a salesperson who is dressed tastelessly?

I wouldn’t.

“If you can show them that you take cyber security seriously I’m telling you right now you’re going to be in a very good position to earn their business,” says Simopoulos.

Well, put yourself in the shoes of an IT professional bent on making sure that her organization’s network is protected against cyber criminals. She’s very unlikely to do business with a technology contractor that doesn’t demonstrate an appreciation for cybersecurity in its digital interactions.

Think about it. If a vendor exhibits reckless digital behavior, an IT director won’t want that vendor anywhere near his network.

My guess, however, is that most AV integration firms make a habit of demonstrating “reckless” digital behavior. In doing so, they reveal their cyber vulnerabilities during interactions with their customers and prospective customers (most of which make purchasing decisions through their IT departments).

That’s not good.

During a presentation at NSCA’s 2018 Pivot to Profit, Rob Simopoulos of cybersecurity provider Defendify, laid out some of these reckless digital behaviors. Many are so commonly demonstrated that it’s almost like they’re hiding in plain sight within most organizations.

Here are some cybersecurity takeaways from Defendify:

Threat of working with a cybersecurity-ignorant contractor is real

Remember the data breach at Target that affected 41 million customers?

The gateway for that cyber crime was through an HVAC contractor that worked with the retailer, Simopoulos pointed out. The hackers broke into the contractor’s network and pivoted into Target’s. In fact, 60 percent of data breaches are related to a third party, he added.

If you’re an AV integrator, that should legitimize any concern your customers might have about your cybersecurity knowledge and readiness.

Your company and your customers are targets

When Simopoulos asked the Pivot to Profit crowd, mostly people running AV and security integration firms, how many have had a cyber-attack at their organizations over the past 12 months, only a smattering of hands went up. Many who didn’t raise their hands are likely wrong. Simopoulos said that 68 percent of small businesses have experienced a cyber-attack over the last year and 50 percent of these crimes target small businesses.

Related: Don’t be like Zuckerberg … data privacy tips for your company 

Cyberattacks are extremely costly

We all understand the value of physical security to protect businesses. Well, the average loss in a physical burglary is about $2,000, Simopoulos said. “In a cyber-attack it’s $117,000-plus.” So it’s understandable that customers would want their contractors to respect that risk.

You probably don’t realize how much data you need to protect

If your customers’ IT departments aren’t concerned about their contractors’ IT security, they should be. Simopoulos polled the Pivot to Profit crowd and listed elements that companies need to protect from a data perspective. Really, he said, “it’s anything you wouldn’t be willing to put on a public-facing website,” including:

  • HR data
  • Financial data
  • Employee personal information
  • Vendor prices
  • Proprietary information (e.g. related to product development)
  • Most importantly, customer sensitive data such as IP addresses, network topology, floor plans, MAC addresses, their customer information

“There’s  a lot of important information there,” he said.

Cyber-threats come from four major sources
  • Cyber-criminals (hackers, pretty self-explanatory)
  • Hactivists” or “hacktivism” (criminals who hack for some political motivation)
  • Cyber-soldiers (they might be attacking the U.S., they might be sponsored by some state)
  • Insider threat (sometimes it’s malicious and on purpose and other times it’s a negligent insider causing a threat)
Phishing has gotten very sophisticated

While the days of Nigerian princes hitting people up for money via email aren’t over, there are far more advanced methods of phishing today. Simopoulos pointed out that phishing emails have gotten very smart. If your employees get a notification that they’re about to receive a FedEx package, it’s pretty tempting to click for tracking information. If they get a LinkedIn invitation, it’s human nature to accept it.

“You’re dealing with IT directors and they’re thinking about cyber security. They want to know, what is your instant response plan? How are you protecting their data?” Simopoulos said.

“Never click on an email to accept a LinkedIn invitation,” Simopoulos said. “Go to the site or the app.”

“These criminals are often very patient. They’ll take time and research your companies and who you’re doing business with,” he added.

The reality is that there is “only one way to project yourself against” phishing, Simopoulos said. “It’s to act like very email you receive is fake. If you weren’t expecting it, you have to verify it.”

Now put yourself in the shoes of your customer’s IT director again. If she sends an email that your company insists on verifying, that’s a solid sign that you take cybersecurity seriously. It might make them feel comfortable doing business with you.

AV and security integrators can and should play a role in reinforcing their customers’ cybersecurity, Simopoulos contended. “Educate your customers,” he said.

“If you can show them that you take cybersecurity seriously I’m telling you right now you’re going to be in a very good position to earn their business. You’re going to separate yourself from your competitors. You’re dealing with IT directors and they’re thinking about cybersecurity. They want to know, ‘What is your instant [incident] response plan?’ How are you protecting their data?”

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

About the Author

Tom LeBlanc

Tom LeBlanc is the executive director of NSCA. Learn more about NSCA and how to become an NSCA member at

Commercial Integrator Magazine

Read More Articles Like This… With A FREE Subscription

Commercial Integrator is dedicated to addressing the technological and business needs of professional integrators who serve the small and midsize business market. Whether you design, sell, service, or install… work on offices, churches, hospitals, schools or restaurants, Commercial Integrator is the dedicated resource you need.


  • “What is your instant response plan?” – I think he probably said “incident response plan” , or more affectionately known as IRP. The response does not need to be “instant” as some-times, knee-jerk reactions may cause even more damage, and/or may alert the attackers that you know about their breach, and you may miss the opporitunity to identity them. This is why it is so important to have an IRP in place, so you can take a systematic approach, documenting everything along the way.

    Once a threat is detected, the best steps in an Incident Response Plan are usually something like:
    1. Analysis – Is it a false positive? Review the logs for vulnerability tests or other abnormalities. What systems have been attacked? What stage of the attack? What is the origin?
    2. Containment – Provides time to determine the next steps, while limiting the spread, and the impact. Isolate the system if possible and make a backup for forensic investigation.
    3. Communication – Alert everyone on the Incident Response Team including IT, HR, Legal, Operations and Management representatives. Should law enforcement/FBI be contacted? Experts like FireEye? Third party vendors? Industry peers? How soon should you alert the public? The laws vary by state in the US. In the EU, the GDPR says within 72 hours.
    4. Eradication – Scan all systems for malware. Isolate and disable all accounts and components that have been compromised. Remove access to systems by suspect employee logins. Change passwords, apply patches, and reconfigure firewalls.
    5. Recovery – This can take a while, so you need to prioritize what systems are most critical to resume functionality
    6. Post-event analysis – What was the dwell time? (time from breach to recovery) Are changes to policies, procedures, or equipment in order? How effective was the incident response plan? Then, test the revised IRP using simulated attack.

    I’m no expert on cybersecurity, but I am now studying it in depth, and I appreciate all comments and questions.

Leave a Reply

Your email address will not be published. Required fields are marked *