Subscribe to

Blogs

Looking back to look forward at ISC West 2020

 - 
Wednesday, February 26, 2020

Having had the privilege of attending three shows during February, I’ve heard this phrase most: “It’s hard to believe that ISC West is already here!” And, quite frankly, I couldn’t agree more! 

As I think back to last year’s ISC West, there were three key trends that resonated with me: 1. deep learning, artificial intelligence (AI) and machine learning (ML); 2. video doorbells; and 3. RMR for integrators. 

Last year, right after ISC West, I reached out to some experts to gather their thoughts regarding these trends. Here’s some of the responses I received to help whet our appetites for ISC West 2020: 

(I wonder how these trends have evolved over the course of about a year; I’m excited to find out in less than a month!) 

How is deep learning/AI/ML currently enhancing the security industry? 

“It’s hard to say … it’s an overused buzzword that is difficult to actually nail down what it means or what it’s doing. Future … likely … now … unlikely.”

—Mark Hillenburg, executive director of marketing, Digital Monitoring Products

“Deep Learning, a subset of AI research, is primarily helping the security industry in the world of video surveillance/video management. Video is typically the largest source of unstructured data, data with no predefined format on the information contained inside, so in order to process out people, objects, events, etc., typically requires a large amount of processing power and can be very costly. Most of the world’s video typically is recorded and not watched because the manpower to review the amount of video recorded is impossible to achieve. 

"Computers are very adept at repeated tasks, such as processing video; however, traditional algorithms for computer vision, the realm of research into video and image processing, were not really able to scale to that high volume without massive computation resources investment. The computer vision research world has really seen a large improvement in the advances deep learning is bringing in terms of increased speed to results, increased accuracy and reduced computation requirement. This will likely continue as time progresses, but the deep learning revolution for video can bring actionable information in previously unmonitored video to operations at a very powerful pace.”

—Dr. Sean Lawlor, data scientist, Genetec Inc.                                                                              

“AI is used today in the security industry to perform tasks like facial recognition and video analytics. While these are impressive accomplishments, they are still atomic in nature in the sense that they represent isolated inputs to the system as a whole.”                                                                                                                      —Paul Saldin, vice president of engineering, Alula

“There has been tremendous progress in video analytics through deep learning and artificial intelligence that surpasses anything created so far. Facial recognition, license plate readers and even things like hard hat and safety glass detection now are a reality. These processes not only enhance security by providing detailed information on who many be coming or going at a business and at what exact time, but they can also improve operations and safety.”                                                                                                      

—Robert Messer, president, ABP Technology 

“Technology advances from deep learning and AI can help improve the accuracy in intrusion detection, and help to reduce false alarms. The security system needs to know when a homeowner is home or away, and needs to track occupants’ movements to initiate activities across the home. Features like smart sensors, geofencing, voice controls and facial recognition have been making systems more intelligent. And, as security continues to integrate with home automation, we’ll see the home become more capable of anticipating the needs of its occupants.”

—Alice DeBiasio, vice president and general manager, global residential security, Resideo

“Deep learning and AI are making smart security smarter based on data analytics, sample teaching, and intelligent decision making. In other words, it isn’t enough for security devices to simple collect large volumes of data, which they are certainly capable of doing. Deep learning and AI methods can help analyze that data and separate what is important from what is not — or analyze the data to uncover deeper trends and more complex information that the collected data alone cannot. Take video analytics, for example. AI powered video analytics are event-based solutions that apply deep learning and artificial intelligence, efficiently analyzing vast amount of data generated by videos, and generates quick response in real time. This system reduces manual monitoring and associated costs and increases productivity of video surveillance systems. Through the application of AI, video analytics can go far beyond just informing users that a person or other object has entered an unauthorized space. With the information collected from a large number of cameras, companies can apply facial recognition software to identify a specific person approaching a building. In addition, by running analytics, a company can not only alert the user to an unauthorized vehicle approaching a building but can also scan the license plate, giving the security officers information that can be checked with existing databases to determine potential-threat status.”

—Joe Liu, CEO, Miotta                                                                                                                                                                                             Why are video doorbells so popular among consumers? 

“Marketing and promotion and the proliferation of video as ‘security.’ In reality, security prevents someone from stealing your stuff … where video just lets you know who did it. Video doorbells are very popular, but after living with one for almost two years, I’ll be interested to see if there is a market demand for a second generation of owners. Once you have one, will you spend the money the second time? We will wait and see."

— Mark Hillenburg, executive director of marketing, Digital Monitoring Products

“Video doorbells are set to experience massive adoption in the security industry in 2019, and it’s no mystery why. Customers love being able to monitor their front door remotely and protect deliveries from would-be porch pirates. This also naturally extends the perimeter of protection for homeowners, and when paired home automation for locks, video doorbells can assist to enable greater access controls for engagement and remote entry management. That said, not all video doorbells are created equal. If you don’t have a fast network on the backend, you’ll experience late alerts and lag during two-way voice chat, which compromises the functionality. You really need a fully integrated system to get the most out of this popular technology.”                                                                                                                —Brad LaRock, vice president of marketing, Alula

“Situational awareness has always been one of the key attractants in surveillance solutions and video doorbells give us another means to improve our situational awareness. Just like with our businesses, we all want to protect our homes and now what is going on. And, we are also ‘linked in,’ so to speak. Our smartphones, tablets and computers are essentially a part of us and if we can use those devices to see who is at the door and respond in real time, then it makes life for us that much easier.”                                                                                                       —Robert Messer, president, ABP Technology

“Video doorbells have been a popular trend in the industry and continue to gain momentum. They solve an immediate need, and more consumers are asking for them. Homeowners see the value in being able to see and speak to visitors, and have access through their mobile devices. Dealers should be including video doorbells on every installation.”

—Alice DeBiasio, vice president and general manager, global residential security, Resideo

What does your company offer in terms of RMR for your integrator partners?

“Recurring monthly revenue (RMR) is the lifeline savvy systems integrators seek to stay profitable, and it can be found in many different technologies, including power solutions. For the end-user customer, managed power solutions offer a value-added solution that ensures system uptime, integrity and reliability. The possibilities to perform managed power services can encompass many physical elements: the main power supply; power system outputs; supervised inputs; and standby batteries. Managed monitoring can include event reports; AC loss notification; service due reminders; overcurrent alert; low-battery warning; and insufficient battery standby. Remote servicing capabilities of power solutions can cover output supervision; battery load testing; remote power cycling; and system health log/trouble alerts. There is also the opportunity to create real-time action alerts and reports via email, XML, web-browser notification or Simple Network Management Protocol (SNMP).”                                                                                                      —Michael Bone, marketing manager, LifeSafety Power, Inc.

“Mobile medical alerts are a natural fit for security companies. Adding medical alerts expands your security offerings and increases perceived value for your customers because you now offer safety and peace of mind for your customers both at home and away. Security companies have an established customer base comprised of safety-minded individuals who may need medical alert themselves, and there are scores of new customers opportunities available through referrals because each existing customer has a relative or friend who could use a medical alert device.”                                                                                                    —Craig Pyle, VP of product, Freeus

“March Networks currently offers RMR models to our certified partner community through two hosted services offerings: March Networks Insight and March Networks Searchlight as a Service. Both soutions provide customers with flexible service terms and payment options, and help integrators reduce service costs through expert video system health monitoring support delivered via March Networks’ secure Network Operations Center (NOC)."

—Dan Cremins, global leader, product management, March Networks

“Video is a major driver for new RMR and we are leaning into that opportunity. Our modular approach also means that our partners don’t pay for home automation capabilities unless they will be getting additional RMR from their customers for those services. Because we are vertically integrated and own the network, more of the RMR goes into the integrator’s pocket rather than a third-party provider. All our services are provided at a wholesale rate with no stipulation on what the integrator can charge their customers, so they set their own pricing and can reap the RMR that their market will bear.” 

—Dave Mayne, vice president of product management, Alula

“ABP Technology offers an advanced platform for integrators that allows them to offer customers basic cloud services as well as their own service and value. That means that integrators now can sell their skills integrating, tuning and maintaining their systems.”

—Robert Messer, president, ABP Technology

“As the residential security landscape continues to evolve, there is an increasing opportunity for RMR around smart home technologies. Our products are connecting the major systems of the home – on the exterior, behind the wall, on the wall and in the cloud. We believe the security dealer is best positioned to win in the smart home market, and we’re fully committed to helping them deliver the connected experience their customers demand."

—Alice DeBiasio, vice president and general manager, global residential security, Resideo

“Miotta offers an ‘in-a-box self-configuring connected system’ and collaborative Video-IoT RMR security service for security integrators/operators to offer to their residential and enterprise customers. Miotta’s mobile-cloud ‘virtual’ security service platform allows integrators, security dealers, ISP’s, mobile carriers and more to offer mobile-cloud security services to both residential and enterprise customers.”                                                                                                                                                                                                   —Joe Liu, CEO, Miotta

A month of travel and education

 - 
Wednesday, February 19, 2020

February, the month of love, captures the hearts of some with flowers, chocolates and cute stuffed teddy bears, but for me, it’s travel that warms my heart and this month is shaping up to be what I call my “travel trifecta.” First it was New Orleans, now Grapevine, Texas and next is San Diego.

Having just recently returned from “N’awlins” from our show, SecurityNext, which was a huge success, I am currently in the midst of attending Milestone’s MIPS 2020, focusing on the power of open. So far, I have learned that “open” gives security integrators choices, which empowers them to create exactly what end users want when it comes to security-related installs — experiences.

“The power of open offers flexibility, choices and possibilities,” Kenneth Petersen, chief sales and marketing manager, Milestone Systems, said during his presentation at MIPS.

As MIPS concludes today, I will continue to share juicy bits of knowledge gained (For example, did you know Milestone became a seller on AWS?) on my Twitter feed @SSN_Ginger, so be sure to follow me if you aren’t already, and be on the look out for more on MIPS 2020 and Milestone in the coming weeks.

Wrapping up this week and into the weekend, I will be jet-setting off to San Diego for AMAG Technology’s 20th Security Engineering Symposium (SES) 2020. This will be a time of learning, networking, developing relationships and interacting with distinguished end users, consultants and integrators with discussions about modern technologies, trends and how the real world of security in changing.

“AMAG Technology's Security Engineering Symposium brings together our community of end-users, consultants, integrators and technology partners to network, interact and discuss the industry's latest issues and trends," AMAG Technology, Director of Business Development, Kami Dukes, told Security Systems News. "It's important for our customers and partners to attend because we learn so much more when we collaborate and work together. AMAG gets inspired to do things differently by listening to the community's interaction and feedback. Their engagement is invaluable. The event remarkably contributes to our product vision and improved solution offerings to the market. I think it's the most valuable event of the year."    

Be on the look out for “tweets de jour” from me during AMAG’s SES 2020 and if you haven’t yet booked travel to any security-related events this year, I highly encourage you to:

1. Do some research to find the perfect event that relates to you and your business.
2. Reach out to the event director with any questions or comments prior to the event.
3. Register and book travel.
4. To get the most out of your event, read my LinkedIn article about how to get the most out of a conference experience.
4. Go enjoy, network and learn!
 

Inaugural SecurityNext conference a huge success

 - 
Wednesday, February 12, 2020

As I fly back home after an incredible four days in NOLA, highlights from our inaugural and highly successful SecurityNext conference, held Feb. 9-11 at the Royal Sonesta hotel on Bourben Street, keep dancing through my head. As someone who loves music and is inspired by those who learn to hone their craft and share their talents with others, it was a sheer pleasure to soak in the sights, sounds and heartbeat of N’awlins … as they say here.

With sounds of trumpets and trombones permeating the air and drifting into the hotel and session and meeting spaces, it was also a sheer pleasure to hear some the top thought leaders in our industry, who have honed their craft within security, share their talents and ideas with others.

From the opening networking reception on Sunday evening to the closing tour of the NOLA Real Time Crime Center, attendees were treated to a comprehensive learning, networking — and absolutely fun and exciting — conference experience, evidenced by the overwhelmingly positive evaluations from attendees. In fact, almost all said they would recommend the conference to others and would be coming back next year.

“If you want to be a part of this industry’s future, you must attend SecurityNext,” said Andrew Lanning, Integrated Security Technology cofounder and 2019 recipient of the Security Industry Association’s Jay Hauhn Award.

Mike King, manager, hosted video for Axis Communications said, “A must attend for companies wanting to understand the next major shift in the security industry.”

Some of the highlights of SecurityNext 2020 include:
•    An opening welcome reception that gave attendees a chance to connect, network and plan for fun nights out on the town in preparation for a full two days of learning.
•    Two keynotes, including Intel’s Global GM for IoT Solutions Sameer Sharma, and NOLA Real-time Crime Center IT Manager George Barlow Brown.
•    Comprehensive education program including six panel discussions and five presentations featuring 29 speakers who are top thought leaders in security today.
•    The “40 under 40” Award Reception on Monday evening, sponsored by the Security Industry Association, that celebrated the class of 2019 winners, including integrator, consultant and end users.
•    The first-ever Legend Award ceremony for inaugural recipients Bill Bozeman and Jim Henry, presented by Andrew Lanning (to Bozeman) and ESIConvergent’s Pierre Bourgeix (to Henry).
•    A tabletop exhibit room highlighting the latest security technologies, products and services, from cloud and data analytics to machine learning and AI.
•    A tour of NOLA’s Real-time Crime Center given by day two keynote George Barlow Brown.

Check back to our site in the coming days and weeks as we provide more in-depth coverage of all the exciting things that happened at SecurityNext 2020!

US leading the global smart home market

 - 
Wednesday, February 5, 2020

The influence of the smart home on security is well documented, as consumer awareness of what is available in the home, from security to home automation to energy savings, continues to drive the purchase of smart home and security products, services and support.

The latest research on the smart home shows the U.S. is leading a global smart home market that is estimated to climb from $91 billion this year to $158 billion by 2024, growing at a CAGR of 15 percent in the next four years, according to data gathered by PreciseSecurity.com. Moreover, household penetration will climb from 9.3 percent this year to 19.3 percent by 2024.

Houseowners worldwide will spend $19.4 billion on security systems this year, with smart security cameras and smart locks as the leading products. This amount is expected to double and reach $35.6 billion value in the next four years. The number of active households in the security segment is forecast to hit 196.9 million by 2024.

Analyzed by geography, the U.S. is the largest smart home market in the world with $27.6 billion in revenue this year, followed by China at $20.8 billion, Germany and the United Kingdom at $4.8 billion and Japan at $4.7 billion.

The report noted that the global smart-home ecosystem is set to continue its rapid expansion mostly due to the speed of 5G implementation, as well as recent IoT investments by Google, Apple and Amazon, which have “transformed the landscape noticeably, providing opportunities for various companies.”

Interestingly, the 2020 data show that one-third of smart home device owners are Millennials.

Divided by categories, smart appliances generate the most significant share of the overall market income. Global consumers are forecast to spend $21.5 billion this year on devices they can connect to smartphones or tablets for better control, convenience and information. This segment of the market is expected to jump to $39.6 billion by 2024.

With $21.1 billion profit in 2020, control and connectivity devices represent the second most popular consumer choice.

The energy management solutions are forecast to generate $7.2 billion income this year and jump to $12.4 billion by 2024.

Giving back at ISC West

 - 
Wednesday, January 29, 2020

I always liked the proverb, “see the forest for the trees,” as it speaks to a phenomenon that happens far too often these days in society — not seeing the bigger picture because we are so focused on the minutia of the day.

With thousands of security professionals converging on Las Vegas for ISC West, March 17-21, and hustling and bustling around to the millions of appointments and meetings, closing deals and making the almighty dollar, I feel that many times, we can't see the forest for the trees.

For the purposes of this rant, the forest, or the bigger picture, is the responsibility we each have to give back to an industry that has given us so much.

And, what is amazing about ISC West is the abundance of opportunities to give back, individually or on a corporate level, with either time or money.

One organization in particular, Mission 500, is really making it easy for individuals and companies to give back by participating in the 11th Annual Mission 500 5k/2k charity event.

The Security 5k/2k fundraiser at ISC West 2020 will be held on Thursday, March 19th, at 2601 East Sunset Road, in Las Vegas, Nev., and will benefit children and families in need across the United States. Registration to participate in this year’s event is open and can be accessed by visiting www.security5kreg.com. For those who are unable to attend or participate in the physical event, you can sign up and donate as a virtual runner or walker.

“2020 marks our eleventh year hosting the Security 5k/2k and we want to thank all of the previous participants and sponsors who have made the last 10 years a tremendous success,” said Tom Nolan, director of Strategic Partnerships, Mission 500. “We can’t wait for this year’s event and hope to meet a wide array of new security industry participants, reconnect with prior ones, and have a great time while supporting this worthwhile cause.”

The Security 5K/2K is a joint collaboration organized by United Publications, the publisher of Security Systems News, ISC Events and Mission 500. To become a sponsor of the Security 5k/2k event, please click here or contact Tom Nolan via email at [email protected].

Confirmed charter sponsors include Alarm.com, Altronix Corporation, Axis Communications, Bosch Security Systems, BRINKS Home Security, CMAC, COPS Monitoring, Dahua Technology, DMP, Freeman, Galaxy Control Systems, HID Global, Hikvision, LENSEC, LRG Marketing Communications, Milestone Systems, Napco Starlink, PSA Security Network, Safety Technology International, Inc. and ZKTeco USA.

As Nolan points out, the goal is get more people and companies involved and increase the amount of money raised each year. Last year, Mission 500 was able to raise more than $145,000 with the event, and with your help we can surpass that number this year.

Here’s hoping you see the forest for the trees.

Weak passwords and ransomware infections go hand-in-hand

 - 
Wednesday, January 22, 2020

Did you know … the first ransomware attack happened in 1989 by Joseph L. Popp, a Harvard-trained evolutionary biologist? As history tells us, Popp created the AIDS Trojan, known as the PC Cyborg, and sent 22,000 infected diskettes, labeled “AIDS Information – Introductory Diskettes,” to an international AIDS conference. 

Unsuspiciously, the diskette did educate the user, but it also infected the user’s computer. After approximately 90 reboots, the virus would encrypt files on the hard drive, and to reverse it, the price was $189 made payable to a P.O. box in Panama. 

Although Popp’s virus was easily defeated, it started a snowball effect across the digital world. 

It’s been 31 years since the first ransomware infection and we’re still dealing with these on the daily. Research from precisesecurity.com, showed weak passwords caused 30 percent of ransomware infections in 2019. 

“Weak passwords.” How many times do we see or hear this phrase? Ad nauseam, if you ask me. And, yet, a quick Google search reveals some of the most popular passwords of 2019: 

  • 12345
  • 123456 (This one was used by 23.3 million victim accounts globally.)
  • 12345678 (This was chosen by 7.8 million data breach victims.)
  • 111111
  • test1
  • abc123
  • Password (More than 3.5 million people use this one to protect their sensitive information.)

It just doesn’t make sense. Yes, we have what seems like a bajillion passwords to remember for access to various locations, physically and digitally, but taking the easy way out hasn’t served us or the world well up to this point. It’s only produced one of the leading cyberattacks used by cyber criminals — ransomware.

So, now what? I suggest we take control over our password/phrase creation and usage. My proposal is simple: Set aside some time to create a list of strong passphrases and/or words once every quarter, adding each time to the previous list. Schedule “password/phrase creation” into your calendar so you set the intention ahead of time. The result will be a list of passwords/phrases that can be used anytime: when asked to update, creating a new account, etc. 

A Quick Tutorial

Creation: Think of a secret about yourself that only you or very few of your closest family/friends know. (To my knowledge, cyber criminals have yet to figure out how to hack brains to get information, so this seems like the safest, most secure information.) Then, create a passphrase, incorporating letters, numbers and symbols with your secret. 

Example (DO NOT USE): …Th3Qu1ckBr0wnF0xJump3d0v3rTheLazyD0g!?

Usage: Use a different, unique password or phrase for each account. Does this take time? Yes. Is it worth it to help prevent ransomware attacks? According to the statistics, yes, but this is something you have to decide for yourself by asking: “Is it worth my time to create strong passphrases and/or passwords to keep my sensitive information, such as access to my bank account or work life, safe?”

Lest we forget, Albert Einstein did define “insanity” as “doing the same thing over and over again and expecting different results.”

TSA’s quest to merge cybersecurity and information technology

 - 
Wednesday, January 15, 2020

We’re about two weeks into the new year, and suffice to say, gearing up for travel is top of mind for security professionals. The “big” industry shows always seem so far away at this point, but before we know it, ISC West will be here in March, followed by ESX in June; GSX in September; ISC East in partnership with ASIS NYC in November; and more. In addition to these, are the smaller, boutique-type events, such as our SecurityNext conference in February (It’s not too late to register, btw!), not to mention all the companies that host events throughout the year. This puts you and your personal data in quite a few airports’ computer systems, screening technologies, etc., which can be a hacker’s paradise. 

Fortunately, while you’re on your yearly security quests, TSA is on a “quest” of its own: “to merge cybersecurity and information technology,” according to a special notice issued on January 7, 2020. And, they aren’t going at it alone. The agency has the support of America’s airport facilities, working together to create a cybersecurity culture by adopting the requirement “cybersecurity by design” to ensure cybersecurity is at for forefront, as opposed to being an add-on or afterthought. 

In addition to merging cyber and information technology, there are other “requirements for the information security and security screening technologies industry to ensure everyone is working towards a common goal,” it said in the notice. Other requirements include: 

  • Implementation of adequate access control and account management practices by enabling multi-level access to equipment sources and the ability to restrict users;
  • The ability for airport operators to change system level passwords;
  • Use of unique identification of individuals, activity and access to security equipment; 
  • Protection of screening algorithms form compromise, modification and rendering equipment inoperable, and provide immediate alert when algorithms have been accessed;
  • Covering USB ports are covered and access to ports, cables and other peripherals are protected from unauthorized use;
  • Employing automated measures to maintain baseline configurations and ensure systems protections;
  • Proper management of internal and external interfaces and encryption of ingress and egress traffic;
  • Implementing methods to update security equipment affected by software flaws; 
  • Running security assessment tools on devices to ensure appropriate configuration and patch levels, and that no indicators of compromise are present; 
  • Full support to ensure security equipment hardware, software and operating system vulnerabilities are identified and remediated; 
  • Use of an approved encryption method to ensure integrity of all data at rest on security equipment; 
  • Providing comprehensive list of all software and hardware that compromise security equipment; 
  • Demonstrating the ability to update equipment design and capabilities to align with changing cyber intelligence and threat reporting; and 
  • Vetting all local or remote maintenance personnel with the inclusion of background checks. 

TSA hopes that these requirements will “increase security levels; raise the bar of cybersecurity across screening solutions; provide vendors an opportunity to demonstrate their cybersecurity credentials; and provide an aligned approach across the industry—making it easier for vendors to adapt to end user requirement.”

Sounds like a win for anyone involved in travel. 

 

The state of ransomware ...

 - 
Wednesday, January 8, 2020

The recent cyberattack on the city of New Orleans is another sobering example of how vulnerable we are as a nation to cyber criminals. Even for cities like New Orleans, which was prepared for such an attack, there is an incredible amount of time and effort and cost that goes into getting a city back up on its feet after such an incident.

Following the New Orleans attack, a report on the State of Ransomware in the U.S., created by cybersecurity research firm Emsisoft, was rushed to be released ahead of its original Jan. 1 2020 release date because, as researchers pointed out, the New Orleans incident “elevates the ransomware threat to crisis level. Governments must act immediately to improve their security and mitigate risks. If they do not, it is likely that similar incidents will also result in the extremely sensitive information which governments hold being stolen and leaked.”

By releasing the report early, the company hopes it will help “kickstart discussions and enable solutions to be found sooner rather than later. Those solutions are desperately needed.”

Looking at the numbers on ransomware, they are pretty mind numbing, as in 2019 the U.S. was hit by “an unprecedented and unrelenting barrage of ransomware attacks that impacted at least 966 government agencies, educational establishments and healthcare providers at a potential cost in excess of $7.5 billion,” according to Emsisoft.

The impacted organizations included:
•    113 state and municipal governments and agencies;
•    764 healthcare providers; and
•    89 universities, colleges and school districts, with operations at up to 1,233 individual schools potentially affected.

The incidents were not simply expensive inconveniences, according to the report, which noted that the disruption they caused put people’s health, safety and lives at risk. For example:
•    Emergency patients had to be redirected to other hospitals;
•    Medical records were inaccessible and, in some cases, permanently lost;
•    Surgical procedures were canceled, tests were postponed and admissions halted;
•    911 services were interrupted;
•    Dispatch centres had to rely on printed maps and paper logs to keep track of emergency responders in the field;
•    Police were locked out of background check systems and unable to access details about criminal histories or active warrants;
•    Surveillance systems went offline;
•    Badge scanners and building access systems ceased to work;
•    Jail doors could not be remotely opened; and
•    Schools could not access data about students’ medications or allergies.

“The fact that there were no confirmed ransomware-related deaths in 2019 is simply due to good luck, and that luck may not continue into 2020,” Emsisoft CTO Fabian Wosar said in the report. “Governments and the health and education sectors must do better. ”

Other effects of the incidents included:
•    Property transactions were halted;
•    Utility bills could not be issued;
•    Grants to nonprofits were delayed by months;
•    Websites went offline;
•    Online payment portals were inaccessible;
•    Email and phone systems ceased to work;
•    Driver’s licenses could not be issued or renewed;
•    Payments to vendors were delayed;
•    Schools closed;
•    Students’ grades were lost; and
•    Tax payment deadlines had to be extended.

In looking at how unprepared local governments are, a 2019 University of Maryland, Baltimore County research report based on data from a nationwide survey of cybersecurity in U.S. local governments, stated that, “Serious barriers to their practice of cybersecurity include a lack of cybersecurity preparedness within these governments and funding for it,” and that “Local governments as a whole do a poor job of managing their cybersecurity.”

The issues identified included:
•    Just over one-third did not know how frequently security incidents occurred, and nearly two-thirds did not know how often their systems were breached;
•    Only minorities of local governments reported having a very good or excellent ability to detect, prevent, and recover from events that could adversely affect their systems; and
•    Fewer than half of respondents said that they cataloged or counted attacks.

In some cases, governments failed to implement even the most basic of IT best practices, the report noted. For example, Baltimore experienced data loss because data resided only on end-user systems for which there was no backup mechanism in place.

According to the University of Maryland, Baltimore County's research, more than 50 percent of governments identified “lack of funding” as a barrier to cybersecurity and this is almost certainly an issue in the education and healthcare sectors, too. “Resolving the problem may simply require that organizations reallocate their existing budgets, or it may require that additional funding be provided either by federal or state government. In either case, it is an issue that must be addressed,” researchers concluded.
   
While 966 government agencies, educational establishments and healthcare providers were impacted by ransomware in 2019, the report noted that not a single bank disclosed a ransomware incident.

“This is not because banks are not targeted,” researchers noted. “It is because they have better security and so attacks against them are less likely to be successful. If government agencies were simply to adhere to industry-standard best practices — such as ensuring all data is backed up and using multi-factor authentication everywhere that it should be used — that alone would be sufficient to reduce the number of successful attacks, their severity and the disruption that they cause.”
 
As Wosar pointed out, “2020 need not be a repeat of 2019. Proper levels of investment in people, processes and IT would result in significantly fewer ransomware incidents and those incidents which did occur would be less severe, less disruptive and less costly.”
 

Proactively going head-to-head with cyber threats

 - 
Wednesday, December 18, 2019

I recently read an article stating that the biggest cyberattack of 2020 has already happened. Needless to say, this sparked my attention, plunging my mind into thoughts of sophisticated cybercriminals who have already hatched a plan attack that’s just sitting in wait, ready to emerge when prompted. While I don’t promote, condone or encourage using scare tactics as a way to educate others and prompt them to take action, this does sound a bit scary; so, I reached out to some cybersecurity experts and members of SIA’s Cybersecurity Advisory Board to better understand and learn what you and I can do to protect ourselves going forward. 

“The most successful cybercriminals are the ones you don’t even know are there,” Tiffany Pressler, senior manager, HID Global, said. 

Min Kyriannis, head, Technology Business Development, Jaros, Baum & Bolles further explained: “Typically, hackers will remain dormant in someone’s network until a sequence or signal is sent to initiate the attack.”

To better understand a cyberattack, Pressler explained the Cyber Kill Chain, eight recognized phases that most cyberattacks go through. The phases are: 

  1. Reconnaissance
  2. Intrusion
  3. Exploitation
  4. Privilege escalation
  5. Lateral movement
  6. Obfuscation/anti-forensics
  7. Denial of service
  8. Exfiltration

“Each phase offers an opportunity to stop the attack, but most aren’t aware that a breach has happened at any of these phases until months or years after the breach has occurred,” Pressler explained. “Based upon that logic, any breach impending in 2020 is probably already significantly down the list of phase stages.” 

This doesn't mean doom and gloom, but rather, a sort of "heads up" to take action now to protect yourself for what you already know is coming.

One of the biggest complaints people talk about is identity theft, so Kyriannis advised to see what services are available. “Following the Equifax data breach, there are free services provided to lock your credit report, for example TrueIdentity,” she said. “Always ask questions about how companies your working with are security the information you’re providing them. I set alerts on my credit cards so that when I use them, a text message is sent to my cell phone.”

Pressler also offers some simple, proactive actions to take now: 

  • Turn on multi-factor authentication for any and all applications and devices. 
  • Use a password manager to help you remember and not reuse passwords. 
  • Always use complex passwords consisting of letters, upper- and lowercase, numbers and symbols. It’s best when your password does not equate to a readable word, sentence or name. 
  • Never click on links in emails or text messages. 
  • Hover over links to reveal the full URL to see if it goes to a legitimate domain, owned by a company.
  • Secure links with a link scanner, such as Norton SafeWeb or ScanURL.
  • Never give out information through webpages launched from a link. Always go to a company’s homepage and log in there.

“If you’re proactive about setting these measures, you’re making it harder for the cybercriminals, but you’re also giving yourself a chance to recover quickly,” Kyriannis encouraged.

New research on state of security convergence

 - 
Wednesday, December 18, 2019

Security convergence has emerged as one of the most discussed and debated topics over the past few years in security, becoming a theme and backdrop that enters into, and many times, dictates conversations among top thought leaders in the industry today.

That is why I was excited to dive into new research from the ASIS Foundation, which just published its State of Security Convergence in the United States, Europe and India.

What I like about a study like this is it gives the industry a way to measure where we are in this security convergence movement, which is also part of what is being described by many outside and within security as the digital transformation.

Interestingly, although many are talking about “convergence,” ASIS found that only 24 percent of study respondents have converged their physical and cybersecurity functions. When business continuity is included, a total of 52 percent have converged two or all of the three functions. Of the 48 percent who have not converged at all, 70 percent have no current plans to converge.

“For years, security practitioners have accepted that organizations are increasingly converging their physical security and cybersecurity functions,” said Brian Allen, CPP, president, ASIS Foundation Board of Trustees. “This study collected current data to measure trends and progress with converging environments. What we’ve learned is that, although convergence has brought positive results, there is still much work to be done.”

Not surprisingly, the study found that security convergence produces tangible positive benefits, with 96 percent of organizations that converged two or more functions (physical, cyber and/or BCM) reporting positive results from the combination, and 72 percent saying that convergence strengthens overall security. In addition, 44 percent of converged organizations report no negative results from converging. Even in companies that have not converged, 78 percent believe that convergence would strengthen their overall security function.

While saving money is not the primary motivation for convergence, a key driver and benefit of convergence is the desire to better align security strategy with corporate goals, ASIS noted in the executive summary. When asked, “which of the following factors might convince you to converge?” the number one answer cited by 38 percent of those who had not yet converged was “better alignment of security/risk management strategy with corporate goals.” This was also considered the most positive benefit by 40 percent of the respondents that already converged two or more functions, the study found.

Interestingly, the main barriers to convergence were “turf and silo issues,” said one survey respondent. “Everyone wanted to safeguard his responsibilities, his people, his budget, his prestige and his importance to the company.”

Using survey responses from more than 1,000 security leaders from around the globe — plus more than 20 follow-up interviews — the study analyzes the relationship between physical security, cybersecurity and business continuity in modern organizations. It provides relevant benchmarks to compare strategies, plans and operations and determine best practices for creating more effective and cost-efficient security and risk operations.

The study’s executive summary is available free here. The full report is available here for purchase and is complimentary for all ASIS members.

Supported by member and corporate donations, the ASIS Foundation invests in elevating security practice through research and education. The Foundation awarded more than 170 scholarships in 2019 totaling more than $75,000.

Pages