Why manufacturers must change their cybersecurity mindset

Oct. 1, 2019
Reducing vulnerabilities in security products begins with putting cyber considerations first

Cyber attacks have become, and will continue to be, a major threat to businesses, making cybersecurity one of the most important trends across all industries. It goes without saying that as devices — especially those used in security — are increasingly connected along a network, the risk of a breach increases.

Therefore, over the last few years, manufacturers have invested a significant amount of time and resources in strengthening the cybersecurity of networked devices. Integrators and end users are also starting to factor in cybersecurity as one of the major buying criteria for physical security hardware and software. But this strategy isn’t always a simple one, given that there are a number of manufacturers with known vulnerabilities in their products and legacy installations. A key differentiator is how these challenges are addressed and communicated to customers.

As we as manufacturers move toward an approach that incorporates cybersecurity from the very beginning, we have to ask ourselves the following questions: How do we address potential vulnerabilities and ensure we’re including strengthened devices in our product roadmap? How can we move from a “fix it once it happens” mindset to being proactive? How can we make certain that our integrator partners and customers trust us to provide products that protect their sensitive data and security information?

Staying Ahead of the Game

From the first day that a product starts being developed, it’s critical for a manufacturer to identify potential cybersecurity risks and design a solution with best practices in mind. This should include techniques such as vulnerability testing and encryption to establish the highest level of cyber protection from all angles. In addition to designing products with cybersecurity in mind, manufacturers need to ensure that cyber is also a part of their standard test procedures throughout the lifecycle of a product.

A key area for manufacturers to be proactive is to eliminate the use of widely publicized default passwords for new products that do not force the user to either change them or create them on first login. The elimination of the use of default passwords for systems is the absolute first step. Manufacturers should also provide the proper training to integrator and dealer partners on how to best educate their customers about the cybersecurity risks associated with physical security devices. 

One of these risks that may frequently come up from end users is the use of products that provide a pathway to the organization’s corporate network. In particular, in instances where a business is using older technology, they may be concerned about a lack of up-to-date network security features, which makes it possible for devices to be compromised and therefore potentially grant unauthorized access to both the facility itself and its network. Additionally, a device that is connected to the network but doesn’t possess the proper encryption and password protections is left open to risk.

This is where the manufacturer and integrator must work together to communicate the importance of regularly installing software updates and patches. One small hole can lead to an exceptionally impactful attack on an entire enterprise, but if manufacturers take into account cybersecurity proactivity within the product design process, upgrades to the software along the way can help avoid leaving a device open to this risk.

Establishing Best Practices and Standards

On a broader scale, the good news for manufacturers, integrators/dealers and end users is that the security industry is beginning to take cybersecurity discussions very seriously in an effort to meet the needs of the market. The Security Industry Association (SIA) is proactively working toward developing cybersecurity best practices for connected devices modeled after best practices already in place in other industries and international standards. SIA has established the Cybersecurity Advisory Board to explore what steps and guidance can be provided to the security industry. Adhering to standards has the potential to result in a competitive advantage for manufacturers that adopt these practices and provide added value for customers.

Europe is already embracing this ideology, with the introduction earlier this summer of the Cybersecurity Act, which was groundbreaking in that “it is the first internal market law that takes up the challenge of enhancing the security of connected products, Internet of Things devices as well as critical infrastructure” through a framework for European Cybersecurity Certificates. In essence, these cybersecurity certification guidelines incorporate security features in the early stages of technical design and development, which, as we mentioned above, brings significant advantages to manufacturers and end users.

Until manufacturers can look at the development and updates of their products — both hardware and software — and say that they’ve truly done everything they can to protect your organization’s data, they can’t rest. Security that begins through the design of products, and is set in motion through standard cybersecurity protocols, is the future of the industry and I look forward to seeing where we go from here in our quest to deliver safe and secure innovative solutions to the market.

About the Author:

With more than 25 years of security industry senior management experience, Kim Loy has achieved significant success within a wide variety of global enterprises. As Chief Product Officer for ACRE, Kim is responsible for oversight of the company’s brands, strategic product planning, and cybersecurity strategy.  In addition, Kim provides direction for messaging strategy and communications development. Prior to her role at ACRE, she served as the Director of Technology and Communications for Vanderbilt International in Dublin, Ireland, where she managed the global R&D, Product Management and Marketing Communications teams and developed technology partnerships to increase the company’s reach. Loy has held senior positions with GE Security, G4S, Xtralis and Pelco. Kim also serves on the Security Industry Association Board of Directors.