As stated in my previous blog, “Baffling” Backdoor Cyber-Talks, numerous people in the industry through discussion as well as writing got right out and on top of a major story in the industry. Again, my hats off to them and this now leads to my next discussion on the matter of security. With the AMX by Harman situation analyzed as it was, time to move on to the next steps.
The audio visual industry, long based in on-premise security solutions and the discussions that have gone along with them, is now looking hard, including with this recent incident that made headline news, at a security discussion crossroad. The industry has slowly but surely brought discussion over the last year through certain industry knowledge-base experts – AV, the network, IoT – and security – from those who educate on the subjects to panel discussions, as we had at InfoComm 2015 where security discussion filtered in and out of an Internet of Things keynote.
About that security discussion? I do remember it being brought for the most part by Mike Walker from Cisco, speaking in certain tones of concern and bringing the proper perspectives, since the global giant is known very well for their security side, that to go along with what the industry knows well in terms of unified communications and collaboration.
According to SANS Institute’s (a trusted source for information security training, certification and research) Security Trends Blog page, the challenges security managers face never stand still. According to a recent study released by the SANS Institute and security firm Identity Finder, data breach costs range from $1,000 to more than $100 million, with 31 percent falling in the $1,000 to $100,000 range. Primary avenues for breach were hacking/malware (35 percent), unauthorized access (27 percent) and physical theft (23 percent).
Corporate enterprise, government entities, healthcare institutions, facilities of higher education have been breached. We find ourselves in the AV/IT (or IT/AV) industry looking out at a global enterprise environment that can fall prey in numerous ways and measures to vulnerability and compromise. What can we do here for the benefit of the industry itself?
When we talk about educating as well as disseminating information, we must consider that first and foremost, as an industry, we need to be mindful of the end user customer that we are considered that “value-added partner” of. Next, we need to understand that an industry, which exists on a global basis, needs to be informed as best as can be of such matters concerning the very consumer we provide solutions and services for.
I had the opportunity to discuss this with a leader in the AV Industry who is also deeply involved in IoT and network security, Gary Hall, CTS-D, CTS-I, Chief Technology Officer for Federal Defense at Cisco Systems. Gary is also President-Elect of the InfoComm Board of Directors. He has been leading efforts to bring together professional audiovisual with IoT and operational technologies and to securely extend the reach of networks to edge environments. On the subject Gary stated, “The need for better cyber security is absolutely critical to the success of digitization efforts that include human to human communications and decision making processes that are facilitated by professional AV systems. The rise of IoT and continued growth in collaboration and communications has created tremendous opportunities to unlock new value in all types of businesses, but they also create new risks that must be mitigated.”
He continued, “Connected devices, including IoT and AV components, have the potential to be compromised and to create vulnerabilities. Hackers are getting more sophisticated and they will find and exploit weakness to cause harm. Not too long ago it was acceptable to protect the network and devices, including AV components, as well as databases and other sensitive information behind basic firewalls. We are now dealing with an omni-directional threat matrix that requires a more holistic approach to security. That means we have to take an architectural view of security that layers and embeds protection at every level to secure from any device to any cloud. It is no longer a matter of if we will be attached, but when, so we have to have a plan that spans the entire continuum of protection – before, during and after an attack. None of us can afford to be the reason our customers most valuable and sensitive data was compromised or their business operations were disrupted. To avoid being part of the security problem while becoming a valuable partner to help our customers unlock new value, gain efficiencies, and apply technology solutions to transform their businesses we must understand and perform our role in cyber security.“
This incident which I discussed in my blog (as well as Forbes’ somewhat murky approach to) can very well serve as an eye-opener for the industry and its heads in terms of ramping up that security discussion, even beyond what exists in terms of the standard at the major industry shows toward cyber security as well. Could we soon see exhibitors who provide these solutions at InfoComm?
I also had the opportunity to discuss this with Malissa Dillman, CTS-D, CTS-I, CQT, Director of Training and Education at Kramer Electronics who is well known for her high-level participation in industry education (she was InfoComm Educator of the Year in 2013). Malissa has been vocal in terms of more industry attention being paid to cyber security and in a recent discussion (which included talk about IoT as well) she stated, “My concern is that as an industry we have not focused enough energy on how to protect ourselves and our clients from potential cyber security breaches. I hope to bring more education to light on these subjects this year. There’s a great deal to learn and new procedures we should adopt and implement with regards to our AV systems and the vulnerabilities that they present. There are some who say a breach isn’t likely via the AV systems. While it may not be a prime target who would have thought that one of the biggest data breaches in recent history all began through an HVAC company?
She continued, “Let’s not forget that Sony Pictures was also hacked with the release of thousands of internal emails that shone less than a positive light on some of the inner communications of their organization. The point being that as an industry we need to educate ourselves and protect our data as well as our client’s data. The bottom line here is that as an industry we must add cyber security to our ever evolving list of topics that we need to include in our staff development and training.
In terms of awareness, as well as training on an enterprise level, according to Cisco’s 2016 Annual Security Report* nearly all companies (97%) deliver security training at least once a year. More companies that have experienced a breach regularly conduct security awareness and/or training programs (96%) than those companies that have not experienced a breach (83%). More Large Enterprises say they have security awareness and/or training programs regularly (93%) compared with Midmarket (88%) and Enterprise (89%) companies – see Figure 90 below.
According to Figure 91 below, frequency of awareness training (along with incidence of formal security policies) is up since 2014:
In November 2015 a keynote speech “Redifining Cyber Security in the Age of Insecurity” was delivered by Bill Chang, CEO, Singtel Group Enterprise at the Singtel Cyber Security Forum in Hong Kong – the description:
We all live in an age where the pace of digitization and mobilization is fast accelerating. As governments and enterprises find new ways to serve their citizens and customers, they are transforming their business models for greater efficiency and customer experience. This not only creates new and exciting business opportunities, but also spawns new threat landscapes in the cyber security space.
Recent study indicated that over 95% of enterprises and government agencies are compromised and don’t know it. As new technologies are developed and implemented, they also present new attack vectors that evil doers can take advantage of to attack your IT security systems and processes. And often, enterprises and governments are compromised without even knowing. Not only do they need to be able to protect, respond and recover from these acts, they must be able to pre-empt such attacks.
Just what do these statements and perspectives along with the numbers tell us? That it’s time for the industry to focus the same level of attention to cyber security discussion, awareness and education, as it does to IT, IoT and convergence as well.
More on this subject to come.
* The Cisco 2016 Annual Security Report can be downloaded here.