Prove your Integration Company is Cyber-Ready

Aug. 16, 2019
How integrators can set themselves apart with cybersecurity policies and certifications

Cybersecurity takes on different meanings to different people. When it comes to protecting your clients’ business, employees and assets, there are a few precautions that systems integrators should take into account, ranging from traditional forms of security to precautionary measures that might seem less obvious. Using a combination of best practices is the easiest way to ensure important information will remain secure, and your customers will appreciate it too.

Ultimately, providing the best service as a systems integrator depends largely on communication and education, both with the client and also internally. Make it clear from the start that cybersecurity is a priority and that there are processes in place.

Assuring Clients

In many cases, a systems integrator will handle multiple client contracts – all of which outline different requirements regarding cybersecurity. One client may require an integrator to have basic cybersecurity measures in place, while others – specifically Fortune 500 companies – have more extensive policies and procedures. It is necessary to understand different requirements, set expectations and define capabilities.

One way to demonstrate a fluent level of cybersecurity knowledge is by getting certified. Namely, ISO 27001 is a specification for an information security management system that includes a framework of policies and procedures that include all legal, physical and technical controls involved in an organization’s risk management process. This certification is rare on the integration side, so those with this certification can set themselves apart from competitors while simultaneously providing peace of mind for end users.

For those who do not have or are unable to attain this certification, there are other ways to prove competency relating to the latest practices of cybersecurity. Offering a question-and-answer session with clients can simultaneously show the ability to address all of their concerns, while potentially providing insight into areas they may not be aware of.

During this time, invite the client to read your policy on cybersecurity so there is a solid understanding of expectations moving forward. From there, the customer can indicate if these policies work or if they are too lenient. The most important thing to remember during this session is to make sure there is a concrete understanding of the clients’ policies, along with expectations for outside vendors. Do not leave this meeting unsure of anything. Most rules are outlined in the client contract, but some are not. It is critical to ask a lot of questions.

Some essential areas of concern to cover during this session include understanding the specific rules that are mandatory for technicians visiting a facility or working on a client’s system and just making sure everyone is on the same page moving forward. Clients are more sophisticated than they were a few years as a result of the industry changing at a very rapid pace. They know what they want, and from a liability standpoint, take cybersecurity more seriously.

For Internal Employees

Aside from certifications and directly answering questions, it is important to invest in educating employees – from the security technician to the sales employee – to further solidify the commitment to cybersecurity.

Providing cybersecurity training to all employees, regardless of their position, will demonstrate to clients that their information is safe at all times. While it is important for the on-site technician to be versed in cybersecurity best practices, it is equally as important for office employees to practice the same behaviors.

Consider dedicating some resources during the onboarding process to make sure new hires are up to speed on best practices, such as how to recognize an email fishing scam. Some companies use online training that enables employees to read through each policy and be tested on it. Some programs give automatic grades once the test is completed, and can then provide the company with a list of who has completed the training and how well they did.  

In addition, other simple protocols – such as closing a laptop screen that is not in use, or disallowing the use of thumb drives to transmit data – are examples of policies to implement that can go a long way.

Get Audited

In order to avoid biases when evaluating your company’s level of cybersecurity adeptness, it is a good idea to hire an external auditor. Allowing another company to evaluate cybersecurity practices can provide a clear picture of areas that can be improved upon and can further provide the best and most secure services to your clients. These audit reports can be shared with clients to prove cybersecurity diligence. If the results are not as expected, this report can then be referenced and used as a benchmark to make future improvements.

Going hand in hand, if the resources are available, some companies choose to hire a third-party company to handle much of the IT work for the company itself, rather than the clients. While most companies do have an IT professional on hand, this approach enables them to focus on client needs, whereas the third-party company can focus on the needs of the specific security systems integration company as a whole.

These external companies often have a strong handle on cybersecurity practices, and do nothing but keep systems secure for a living. Having that back up – in addition to an already talented team on staff – further ensures security in the long run. Multiple levels of protection and increased oversight can improve cybersecurity accountability.

Above all else, it is necessary to keep policies regarding cybersecurity black and white. When there is confidential data at risk, there is no room for areas of gray.

Larry Simmons is VP of Corporate Governance for Georgia-based integrator Tech Systems – a member of the Security-Net group of integrators. Learn more about Security-Net at www.security-net.com