If your business lacks cybersecurity discipline, that’s obviously a bad thing from a security standpoint. But consider that it’s also terrible for your sales.
Can you confidently eat at a restaurant after noticing that its bathroom is a horrendous mess? Would you take fashion advice from a salesperson who is dressed tastelessly?
“If you can show them that you take cyber security seriously I’m telling you right now you’re going to be in a very good position to earn their business,” says Simopoulos.
Well, put yourself in the shoes of an IT professional bent on making sure that her organization’s network is protected against cyber criminals. She’s very unlikely to do business with a technology contractor that doesn’t demonstrate an appreciation for cybersecurity in its digital interactions.
Think about it. If a vendor exhibits reckless digital behavior, an IT director won’t want that vendor anywhere near his network.
My guess, however, is that most AV integration firms make a habit of demonstrating “reckless” digital behavior. In doing so, they reveal their cyber vulnerabilities during interactions with their customers and prospective customers (most of which make purchasing decisions through their IT departments).
That’s not good.
During a presentation at NSCA’s 2018 Pivot to Profit, Rob Simopoulos of cybersecurity provider Defendify, laid out some of these reckless digital behaviors. Many are so commonly demonstrated that it’s almost like they’re hiding in plain sight within most organizations.
Here are some cybersecurity takeaways from Defendify:
Threat of working with a cybersecurity-ignorant contractor is real
Remember the data breach at Target that affected 41 million customers? The gateway for that cyber crime was through an HVAC contractor that worked with the retailer, Simopoulos pointed out. The hackers broke into the contractor’s network and pivoted into Target’s. In fact, 60 percent of data breaches are related to a third party, he added.
If you’re an AV integrator, that should legitimize any concern your customers might have about your cybersecurity knowledge and readiness.
Your company and your customers are targets
When Simopoulos asked the Pivot to Profit crowd, mostly people running AV and security integration firms, how many have had a cyber-attack at their organizations over the past 12 months, only a smattering of hands went up. Many who didn’t raise their hands are likely wrong. Simopoulos said that 68 percent of small businesses have experienced a cyber-attack over the last year and 50 percent of these crimes target small businesses.
Cyberattacks are extremely costly
We all understand the value of physical security to protect businesses. Well, the average loss in a physical burglary is about $2,000, Simopoulos said. “In a cyber-attack it’s $117,000-plus.” So it’s understandable that customers would want their contractors to respect that risk.
You probably don’t realize how much data you need to protect
If your customers’ IT departments aren’t concerned about their contractors’ IT security, they should be. Simopoulos polled the Pivot to Profit crowd and listed elements that companies need to protect from a data perspective. Really, he said, “it’s anything you wouldn’t be willing to put on a public-facing website,” including:
- HR data
- Financial data
- Employee personal information
- Vendor prices
- Proprietary information (e.g. related to product development)
- Most importantly, customer sensitive data such as IP addresses, network topology, floor plans, MAC addresses, their customer information
“There’s a lot of important information there,” he said.
Cyber-threats come from four major sources
- Cyber-criminals (hackers, pretty self-explanatory)
- “Hactivists” or “hacktivism” (criminals who hack for some political motivation)
- Cyber-soldiers (they might be attacking the U.S., they might be sponsored by some state)
- Insider threat (sometimes it’s malicious and on purpose and other times it’s a negligent insider causing a threat)
Phishing has gotten very sophisticated
While the days of Nigerian princes hitting people up for money via email aren’t over, there are far more advanced methods of phishing today. Simopoulos pointed out that phishing emails have gotten very smart. If your employees get a notification that they’re about to receive a FedEx package, it’s pretty tempting to click for tracking information. If they get a LinkedIn invitation, it’s human nature to accept it.
“You’re dealing with IT directors and they’re thinking about cyber security. They want to know, what is your instant response plan? How are you protecting their data?” Simopoulos said.
“Never click on an email to accept a LinkedIn invitation,” Simopoulos said. “Go to the site or the app.”
“These criminals are often very patient. They’ll take time and research your companies and who you’re doing business with,” he added.
The reality is that there is “only one way to project yourself against” phishing, Simopoulos said. “It’s to act like very email you receive is fake. If you weren’t expecting it, you have to verify it.”
Now put yourself in the shoes of your customer’s IT director again. If she sends an email that your company insists on verifying, that’s a solid sign that you take cybersecurity seriously. It might make them feel comfortable doing business with you.
AV and security integrators can and should play a role in reinforcing their customers’ cybersecurity, Simopoulos contended. “Educate your customers,” he said.
“If you can show them that you take cybersecurity seriously I’m telling you right now you’re going to be in a very good position to earn their business. You’re going to separate yourself from your competitors. You’re dealing with IT directors and they’re thinking about cybersecurity. They want to know, ‘What is your
instant [incident] response plan?’ How are you protecting their data?”