This article first appeared in the August 2021 issue of Security Business magazine. When sharing, don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter.
Integrators who think that they are somehow removed from the real risk of cybersecurity breaches – putting their own company information as well as their customers’ private data at risk – were likely taken aback during a recent webinar (www.youtube.com/watch?v=pyObEeG6gMU).
During the session, moderator Rob Simopoulos of cybersecurity platform provider Defendify asked panelists if they have any personal experience with breaches. One panelist, Brian Banks, information security officer for Texas-based integrator Lone Star Communications, described a “ground-shaking” potential cyber breach that was stopped “at the very last moment.” It was a wire transfer fraud in which the attackers utilized text messaging and email in tandem.
The day started out normally, but everything changed when Lone Star’s CFO stepped into Banks’ office with an alarmed look on his face. He showed Banks his phone and displayed a correspondence between the company’s CEO and himself regarding a financial transaction. These types of conversations were not abnormal for them, and they sometimes developed through text messaging, Banks explained. “In this case, it started out as text messaging and evolved into emails – a substantial amount.”
Luckily, the transaction was stopped when a suspicious banker reached out to Lone Star’s CEO. “The incident was very alarming because it would have been very disruptive to our business,” Banks said.
It also exposes the very real risk that integrators face regarding their own operations and their privileged access to customers’ networks.
I was a panelist on that webinar as well. The National Systems Contractors Association (NSCA), a trade association for integrators where I work, is extremely focused on cybersecurity. Protecting our members’ data is critical. It always has been – but as ransomware stories have appeared in the news and anecdotes about member companies being impacted have emerged – it has elevated our urgency.
Integration companies, meanwhile, also need an elevated sense of urgency. The products and systems that integrators install touch customers’ networks; therefore, customers are vulnerable. Integrators need to establish and continually reinforce trust through cybersecurity credentials.
First, Protect Yourself
When it comes to cybersecurity, it is important to practice what you preach. That goes for a trade association emphasizing the importance of focusing on cybersecurity to members; and it goes for an integration company looking to earn the trust of their customers.
In NSCA’s case, it was about two years ago amid a barrage of ransomware news when our staff began a Defendify cybersecurity platform, which includes employee training. Defendify is an NSCA “Business Accelerator,” which means that we recommend that member integration companies consider teaming with them. It follows that, as a trade association, we should walk the walk. Indeed, the program helped a lot with our internal posture in terms of making sure employees know what to open, what not to open, as an example.
A portion of the employee education program includes periodic education videos about cybersecurity incidents and risks. Many of the individuals reading this article are likely well-equipped to recognize most cybersecurity threats; however, a company’s vulnerability stems not just from the top executives. The lessons in the training might be obvious to a high-level security executive, but it is valuable to step back and recognize colleagues who could have very well fallen into the traps described in videos.
In NSCA’s case, staff often discuss the videos and apply the scenarios to their own work lives. Meanwhile, Defendify tests us by sending phishing emails, and none of us want to be the one who fell for it and clicked.
NSCA also implemented Sophos for data and endpoint protection. We made sure we were performing backups every day, in case we ever did get our data held ransom. We also got cybersecurity insurance. Integration companies should certainly consider cybersecurity insurance – just filling out the application may force you to be more mindful of your infrastructure and how people can access secure information.
Cybersecurity may not be considered a revenue driver – for nonprofit NSCA or an integration company – but it needs to be prioritized like any key to success. It should be part of the budget. At NSCA we have what we call a strategic planning grid by which we try to make sure all our tasks are aligned with our most important objectives. Cybersecurity has a significant presence in that grid. That helps us to keep it front of mind.
If your customers are not already sending you questionnaires, for instance, to assess your cybersecurity acumen, it is coming. Frankly, they should be taking these measures to ensure that their integration partners will be responsible for protecting the valuable information on their networks.
NSCA integrator members tell us that their insurance companies want to know about their cybersecurity training. Many customers are already requiring cybersecurity credentials in their project contracts. They want integrators to indicate their cyber training and what their response is to a cyber breach. Integrators need to put on paper what they are doing to make sure they are protecting customers’ private information, and they also want to know what insurance you have. Some customer specs are starting to say that their integrator needs to have some sort of cybersecurity certification; others are saying in a vaguer way to be sure to indicate you are trained.
The important takeaway is that right now, depending on the vertical markets and types of customers that you work with, you might not be seeing a lot of demand for cybersecurity credibility documentation, but you will. It is not going to diminish; it is going to escalate and expand from what you might think of as mission-critical projects to a broad spectrum of projects.
Many integrators already secure cybersecurity certification for company and individuals, and those companies have a distinct advantage over those that do not.
The most important way that integrators can build cybersecurity credentials, meanwhile, is to walk the walk. In customer-facing communication, in internal practices, in everything you do, demonstrate that you take cybersecurity very seriously.
Put yourself in the customers’ shoes – they are vulnerable. If they contract your firm to work on their network, they need to trust you, and they should be judging your every move. What kind of information are you including in emails? Are you taking authentication steps? Everything you do should show customers that you are careful. If you are not careful with your own stuff, why would they think you’d be careful with their stuff?
Do Not Depend Solely on Manufacturers
Sometimes integrators ask to what degree they can defer to manufacturers for cybersecurity guidance and credentials. NSCA advises integrators to tread carefully, even with their most trusted manufacturers. The problem is that manufacturers are not the ones on the hook here – at the end of the day, when there is a problem, it is the integrator who put the system together and who put it on the network. It is rarely perceived as the manufacturer’s responsibility.
Bottom line: We think manufacturers are doing their very best, but it is the integrators’ responsibility, and they must face that reality.
The integration market is changing. About 10 years ago integrators had to start talking about IT and becoming a digital company. In 2021, we live in that digital world. This is another step in the evolution, and there is no turning back. The need for heightened cybersecurity is only going to escalate.
Tom LeBlanc is the Executive Director of the National Systems Contractors Association (NSCA). Learn more at www.nsca.org.