Reducing the risk

Case Studies

How to minimise the exposure to digital sabotage of network connected equipment, software and systems used in electronic security systems by Glenn Foot, Security Products Technical Manager at Eaton Security

Security is becoming a hybrid offering

As the world becomes increasingly digital, organisations that have traditionally dealt in physical security are having to change the way in which they operate. A recent report from Deloitte found that by 2020, 4 billion people are expected to be connected globally, generating 50 trillion gigabytes of data per year. As consumers become more connected by the internet of things (IoT), threats not only remain but, in some cases, have become heightened. IoT can best be explained as the extension of internet connectivity into devices, such as alarms or smart meters. This era has made life more convenient not only for consumers – who can turn their heating on remotely, turn lights off when away from home, for example – but also for enterprises that can allow more devices onto their network. That said, this new type of technology has come with a few potential security risks. A report from RiskIQ found that the number of malware attacks on IoT devices has skyrocketed by 215% to 32.7 million from 2017 to 2018, demonstrating that whilst these devices may simplify lives, security is still a concern. This meaning that enterprises must take steps to remain vigilant against potential hackers that have the ability to access networks and potentially sensitive documents.

Cyber-attacks are not mutually exclusive to enterprises or consumer devices 

A study from Gartner revealed recently that 40% of smart home appliances globally are being used for botnet attacks and this figure is expected to rise to 75% by 2021. Whilst cyber-attacks are clearly prevalent in the consumer space, they are becoming increasingly common across enterprises. According to a study by Hiscox, more than half of UK firms have reported a cyber-attack this year, admitting they are under-prepared for a breach. Not only can these breaches be financially damaging for organisations, they can also be harmful from a brand perspective.

This is best represented by the Equifax data breach in 2017, when personal information of over 140 million customers was exposed. Following the hack, a YouGov BrandIndex report found that Equifax's “Buzz score” – which measures whether people have heard anything positive or negative about a brand during the previous two weeks – had dropped from zero to -33 in the first 10 days following the hack. This significant drop-in trust clearly demonstrated the importance of managing reputational damage after an attack.

A lack of education around security standards

A talent shortage and lack of education within the industry has, for a number of years, led to customer frustrations. The industry trade body, the BSIA, recognises the skills gap and has heavily invested in promoting apprenticeships for the sector through its training arm Skills for Security. It should not come as a shock that IP technology now plays an important role in the new Government Trailblazer apprenticeship scheme. However, cyber security is still not a key focus!

The BSIA value education and qualifications and note the importance of addressing the lack of understanding of the impact of IoT in the security industry. 2017 saw the launch of CySPAG (Cyber Security Product Assurance Group) who immediately sought to determine the needs of industry and consumers in order to develop best practice in this growing field. With the support of members and industry expertise, this BSIA specialist interest group helps to combat a growing knowledge gap and the threats which accompany it.

CySPAG’s main thrust was to develop an understanding of how internet connected security products and services impact on our industry sector and how we can minimise exposure to digital sabotage of network connected equipment, software and services used in electronic security systems.

This led to the first work stream to develop the ‘Cyber Secure IT’ guidance, a first for the industry sector, which has received some significant interest and support both in the UK and within Europe.

CySPAG is currently working on its next project developing an industry code of practice for installers of internet connected security systems, providing a basis for a certification scheme in this field. As CySPAG state: ‘the assurance these new guidelines give throughout the supply chain should instil end user confidence in connected security solutions.’

Whilst the BSIA CySPAG group is a major step forward, when it comes to tightening regulations, more can be done to protect both organisations and consumers.

In some industries, even including some parts of the security sector, education around security standards is lacking. And this is not only from a consumer point of view, but also includes many industry experts – i.e. those installing the security. There is an argument to suggest that better device security is required to ensure that it is harder for bad actors to infiltrate software.

However, the onus does not lie with one group - both industry specialists and the public need to take responsibility when it comes to educating themselves against potential threats. The public must ensure they are only working with certified installers that have the correct credentials and are only buying from trusted manufacturer. Installers and industry bodies have a responsibility to ensure that safety is being made a priority, and that brand reputation of legitimate manufacturers is being protected.

Remote working means enterprises must rethink security strategies

It’s clear that the way in which people work has changed in recent years. According to the Office for National Statistics (ONS), between 2012 and 2016, flexi-time has risen by over 12%, whilst the number of UK workers that have moved into remote working has risen by nearly a quarter of a million over a decade. And this figure is expected to rise by next year, with the ONS forecasting that 50% of the UK workforce will be working remotely. With more employees working away from the office, organisations need to be aware of the increased security risks that comes with this shift. For example, what to do in the case of employees using unsecured Wi-Fi while working from a public space.

In the end, organisations must ensure they are adapting quickly enough to deal with workers changing needs, however be wary that when employees choose to work remotely, the tools are secure enough to safeguard employees.

With bad actors becoming more complex and in search of new ways to infiltrate devices and enterprises for their own gains, it is up to industry specialists and bodies to better educate and protect customers. Only then will end users and enterprisers have the confidence to invest more in the right security systems. Whilst the BSIA is leading the way in supporting members and upholding industry standards, only 70% of the industry are represented, giving room for improvement. Only when the entire industry is protected, will we feel like our job is done.