Customers cyberaware, but not fully cyber-prepared
ROMEOVILLE, Ill.—Protection 1, which operates its own Network Operations Center, is seeing a rise in customers separating their security network in order to stay more cybersecure. Security Systems News talked with several professionals at Protection 1 about how cyberaware end users are today and the similarities and differences in cyber- and physical security solutions.
“I think the awareness of cybersecurity is quite high. I say that because you see the popularity of a variety of different things in pop culture—we even have shows about hacking,” Michael Keen, Protection 1 vice president, said.
“But what’s really provocative is when you ask a customer their level of awareness around cybercriminal activity, they’re going to rate it as very high. Then, if you ask them in the same conversation to rate their level of protection against that activity, they oftentimes diagnose that as very low,” Keen continued. “I think that’s attributed to this gray area of who owns that space, and what options for protection and remediation exist.”
“[End users] do know that cybersecurity is a risk, but there’s currently not the infrastructure to protect themselves or the knowledge of what to do if [they] are attacked,” said Keen.
Keen cited ransomware as a rising cybersecurity threat for end users.
Ryan Fritts, company vice president, business analysis and technology, said that the emergence of ransomware has led to more awareness of cybersecurity risks among end users. “Now it’s becoming a little more visceral, a little more impactful for their day-to-day,” he said.
Which steps are more end users taking? “The number one step they tend to take is the one that everybody is familiar with, it’s anti-virus. You’ve started seeing the prevalence of back-up solutions, disaster recovery, and I think ransomware is helping to drive some of that conversation,” Fritts said.
“There’s more action being taken on the end point level … it’s not quite as prevalent yet on securing the network,” Fritts said. He advised that more end users could create multiple layers of security and include potential vulnerability spots such as smart printers, security cameras and DVRs. This secure ecosystem would have three main tiers, including secure and monitored solutions across end points, the network and cloud back-up or storage solutions.
There can be dangerous misconceptions around backing up files. “The idea of back-up sometimes creates an artificial impression of security,” Keen said. “The inability to … guard or protect against malicious packets is still there. Said differently: they might have a back-up of the same malicious malware on their computer now on their network.”
End users conceive of risk differently with cybersecurity than with physical security. “It’s not a tangible experience like a locked door or a burg system or an access control system. So, they don’t always know what they’re looking for, they don’t always know all of the openings that they have to protect and that’s what makes it so unique and more challenging,” Morgan Harris, company director, enterprise solutions, said.
“When you start to really sit down and talk to end users, they don’t always think about just how many Internet of Things connected devices they have, how many points of access they truly have,” Harris said.
Rich Aycock, systems engineer with Protection 1, said that companies are starting to see that cybercriminals do not only target large businesses. “While that misconception has kind of gone away, the new misperception is that these companies can’t actually afford to have an adequate level of cybersecurity,” he said.
Other issues that Protection 1 has seen among end users is in who handles certain matters. A company may rely on a person who has experience in a related field, but not exactly the matter needed to protect the business. “It’s not uncommon when we talk to businesses that the entrepreneur [or] the business owner … very quickly delegate any type of IT or cybersecurity responsibility to anybody that is capable of performing one of the many functions that are underneath those umbrellas,” Keen said.
Harris added that there is a parallel here to the physical security industry. “It’s not too uncommon for people to try to do some of the security themselves, but they often overlook entrances, exits, angles, how cameras work,” he said. “There’s a reason that we’re professionals in this industry; we know what criminals are looking for, we know how these cybercriminals operate.”
Physical security solutions and cybersecurity solutions are very different, Keen said, “But, some of the key concepts point back to our core strengths.”
These strengths include “having certified, credentialed service technicians to install, configure, and service the solutions,” as well as a record of experience and competency in a monitored solution, Keen continued. “The idea of monitoring a cybersecurity network is fundamentally similar to the core requirements of monitoring an intrusion system or fire system.”
For some customers, what is most important to them may be virtual. “It's a little irresponsible for security providers to just say we protect what’s most important to you, as long as it’s physically located inside your building,” Harris said. “What’s most important in this industry, in this lifetime now, is not only just a physical piece inside of their house or their business, it’s something that may be on their computer, it may be something that’s on their phone, it may be something that’s backed up to the cloud.”
The easiest thing that end users can do is seek education, Aycock said.
Keen said that end users can also take advantage of best practices, including with “the complexity of your passwords, how often you change your passwords, and the education of employees that may be using USB drives or clicking on malicious emails.”
Fritts added: “The weakest link in the whole chain is the human being behind a computer or behind a device.”
Protection 1 manages more than 45,000 devices, across 1,500 networks through its NOC.