Security: Start from the Beginning
Security has arisen as a significant issue over the past several years in the AV industry. Several high profile issues have made people question what they should be doing about security. I (and others) have written about it, trying to give our readers some thoughts about where to start. As I read more about security and consider what we need to do, I realize that many of us have skipped ahead. We are reacting to problems that have occured, rather than developing a strong strategy and then being tactical in executing that strategy.
In the information technology security world, practitioners often consider three areas: security, privacy and compliance. Much of what has been discussed in the AV industry is the security area. Security concerns the protection of data. That may be any of the records or data you store in your business, be it customer data, proprietary information or employee information. It also includes the integrity of this information, not only that others don’t get it, but that you don’t lose access to it. Your access to this data is often thought of as whether people are attacking your information and holding it for ransom or via a technical attack (DoS), simply preventing you from getting to it. Privacy is about the data you may hold (or have access to) that belongs to other people. This can include customer personal information and employee personal information. Finally, compliance is your responsibility, as defined by laws and regulations to protect any data you may have. Ethical security people also go beyond simply “following the law” and consider what the right thing to do is. These are expensive areas to consider. How does one consider where to start in developing their strategy? It is actually fairly simple to get started. There are several tools online for you to perform a security risk assessment. These tools are extremely simple in design, many are just excel files, but are very powerful in how they let you think through each case.
A good tool will help you think through each category, even as each of the categories tend to leak into each other. The tools will identify an issue or a problem. Let’s say an unauthorized actor gains access to data that is proprietary (think, your customer relationship management system) and sells it. The tool will then walk you through the consequences of that. What is the financial impact of this? What is the reputational impact? Typically you would have a numerical scale to score this. Next, it would ask you what the likelihood of this happening would be. Finally, it would ask you to think about what you could do to mitigate this risk. Again, you can score this mitigation, on a dual scale of difficulty and expense. Finally, the tool looks at each of these scores and calculates a final score for each possibility that helps you decide where to start.
Let’s take a look at the aforementioned category, for a typical, national integrator. The question states that this is an unauthorized person gains access. So, this is not an internal employee that has access to this data; it’s someone who has gained access through nefarious means. They take your client information and sell it. This tells us that the actor knows what they are doing and had a plan for the data. What are the financial impacts of this? This, of course, depends on your CRM tool and how much data you hold in it. Do you have detailed information about past and upcoming projects? Could someone call on these customers pretending to be you and then redirect the business? Could they simply use it to follow up on projects they may not have know about? Do you have information in there about dealings with clients that could be embarrassing? Only you can answer and score this for your business. What about the reputational impact? What will your customers think when they know this data has been breached? Will it bother them? That question will be largely answered by how much information you keep. The next step is what is the likelihood of this happening. Is your company are worthy target? Finally, what do you need to do to mitigate this? Some options here would be thinking about password policies for your employees, security training for employees, implementing two factor authentication, firewalling the system and making sure data is only on encrypted devices. The scale and costs of each of these differ. Finally, the tool will help you decide what is difficult and expensive and what is low hanging fruit, therefore letting you know where to set your priorities.
This is also an excellent service you can provide to your clients and help them understand the costs and expectations of systems you install. Many institutions may tell you they are not worried about their internal data; they have a security team on that already. Even with that consideration, they may not think of AV as having problems in the security and privacy piece. So, walk them through that. Think about cameras in conference rooms or meeting spaces and walk through the tool. What are the financial and reputational issues, if someone was able to gain access to that audio and video? What is the likelihood that someone could do so? The likelihood and the impacts would be affected by where this equipment is installed. The executive boardroom has a different risk factor than your standard huddle room. What steps would they they like you take and what costs are they willing to accept in order to mitigate those risks?
My experience is that moving through a tool like this, both internally and with your customers, eliminates some of the fear and hysteria that comes with security. It allows your customers, in particular, to decide their own impacts, likelihood and appetite for remediation. Most importantly, it lets everyone understand which risks they are taking on, and which they are eliminating.