GDPR (General Data Protection Regulation) compliance and cybersecurity are intrinsically linked. While the former involves governments and regulators aiming to protect personal data, at the same time cybercriminals are planning how to steal this data for financial gain.
The risks associated with complacency around GDPR compliance and inadequate cybersecurity have been much publicized in the press since the regulation came into force. Both British Airways and Marriott International were two high-profile examples which made headlines after being fined for losing customer data after being the victims of cyberattacks.
This elevates the importance of a business cybersecurity strategy to minimize the potential fines that can follow should the systems be compromised. EU Law now offers regulators the powers to issue hefty fines of €20m or 4% of a firm’s group global turnover, whichever is higher.
While the risks related to cyberattacks and data breaches continue to increase, so do the associated penalties and fines if inadequate cybersecurity measures are judged to have been taken. CSO, the global provider of news, analysis and research on security and risk management, reports that together, cyberattacks and data breaches are the number one business risk today.
The recent large GDPR fines have sent shockwaves across the industry. New research by data security company Clearswift has shown that the financial penalties have started to influence board-level spending plans in relation to cybersecurity. Clearswift claims that almost one third of companies (32%) reference the GDPR fines against British Airways and Marriott International as being the primary reason for an increase in board-level involvement and/or provision for IT security spending.
Boards are realizing that the cost of noncompliance, a cyberattack or data breach, is significantly greater than any potential savings achieved by selecting cheaper equipment from an organization that can’t demonstrate its cyber maturity. The impact of a fine, reputational damage, denial of service or loss of customer trust, has much greater significance.
Consideration for compliance and opportunities for system integrators
All stakeholders have their part to play in making sure that an organization is protected from a cyberattack. Security system integrators that understand the cybersecurity challenges and can demonstrate their cyber maturity will gain a greater level of trust from their existing customers, as well as new potential clients.
At the same time, aligning your offering to help alleviate the risk associated with cyberattacks through physical security systems will breed new opportunities. Like any layer of security, there is no expectation that this is given for free. Organizations are increasingly seeing value in paying third-parties to support their cybersecurity strategy and minimize the exposure to an attack.
As a result, a heavy focus and greater influence is being driven by IT. It’s crucial to consider the expectations of IT decision makers and security departments, and it’s clear that they expect system integrators to take on responsibilities including updating systems and patching firmware. In short, IT managers want third-party support to behave like a partner, not just a supplier.
The value of a service and maintenance contract
While some system integrators may have seen service and maintenance contracts drop in recent years, this hasn’t been the case for those looking after IT systems. Today’s reality is that physical and electronic security systems have now become IT systems, largely using the same infrastructure.
Long gone are the days when any form of mechanical maintenance is needed to support camera technologies. However, this does not mean that the value of a service and maintenance contract has changed, and the same ongoing best practices still need to be followed.
It’s not surprising that we have seen a reduction in the number of service and maintenance contracts being issued beyond the warranty and defects period from some clients. But, for businesses like this, with no service and maintenance contract in place, who is responsible for maintaining the cybersecurity integrity related to these systems? Without making sure that regular updates are carried out and system security is maintained, an organization is opening itself to a risk of when, not if, the data breach will occur.
If you have been appointed as the customer’s service and maintenance provider, there can be an expectation that this will cover all aspects of hardware and software - unless the contract states otherwise. To clarify the support requirement with a focus on firmware updates and patches, it’s helpful to make the following considerations with the client:
- If firmware updates and patches are not included in the support contract, who is responsible for them? Consequently, what are the knock-on effects of another stakeholder carrying out these updates on a system that you have responsibility to maintain?
- If you don’t include firmware and patch updates as part of your offer, what will the perception of the client be, especially if your competitors can provide this service?
From these considerations, we can see that it’s advantageous for a system integrator to understand the manufacturer’s approach to firmware updates and patches. Knowledge of the process, which can be as simple as it is effective, will help articulate your approach to cybersecurity and confirm that all security updates and requirements are included in your offer.
Ultimately, this will reflect favorably during the procurement process. Demonstrating that you understand the importance of today’s service and maintenance contracts beyond traditional planned preventative maintenance will both build confidence among your customer base and support contract wins.
Why firmware and patch updates are so important
In the UK, the Information Commissioners Office (ICO), the equivalent of the Data Protection Authorities (DPAs) that belong to each EU member state, has in the past issued guidance specifically related to patch management. The guidance states: ‘Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act* is serious to warrant a civil momentary penalty.’ (*GDPR equivalent).
Poor patch management practices leading to major breaches of consumer data is a problem for global organizations that needs addressing. Not least of all, failure to comply has resulted in financial penalties. A worrying statistic reported by CSO is that ‘60% of breaches involved vulnerabilities for which a patch was available but not applied’. If a system integrator hasn’t updated systems when patches and firmware updates have been made available, it can be assumed that as a data processor, the system integrator would also be liable for some of the associated fine.
So, what are your technology partners doing to help you support your customers in the security challenge? Equally important within the competitive landscape, what are they doing to help you gain more from cybersecurity business opportunities through tools and services that enable you to operate more efficiently?
AXIS Device Manager
AXIS Device Manager is an easy, cost-effective and secure way to manage connected devices. It offers installers and system administrators an effective tool to manage all installation, security and maintenance tasks.
One of the key benefits of AXIS Device Manager is the ability to harden all Axis devices that are attached to the network. This process reduces security vulnerabilities and loopholes in line with the Axis Hardening Guide. The AXIS Hardening Guide follows baseline uses such as the CIS Controls - Version 6.1, previously known as SANS Top 20 Critical Security Controls.
This process enables commissioning engineers to build a device-hardened profile that can be saved as a configuration setting and published across the rest of the organisation’s devices. This significantly reduces commissioning time, while at the same time creating a layered approach that limits a single point of failure and exposure, hardening the system as a whole. The ability to update firmware and patches quickly and efficiently enables system integrators to proactively monitor video surveillance systems and carry out all updates without impacting the current integrations with connected systems. AXIS Device Manager allows the tracking of all firmware updates issued to address any common vulnerability exposures (CVEs), in line with Axis Vulnerability Management policy.
Firmware strategy
It has been reported that firmware updates will become more important than hardware warranty agreements. This is no surprise when we consider that manufacturer hardware warranties range from one to five years, yet in reality the expectation is that the technologies will be deployed for seven to ten years-plus. At the same time, there is an ever-increasing risk to businesses around cyberattacks and data breaches. Just because the hardware is out of warranty doesn’t mean that the manufacturer should stop providing firmware updates.
A good example is the strategy that Axis offers as part of its ongoing device lifecycle management. The first option is active support that adds features in addition to improving cybersecurity and stability. The second option is long term support (LTS). This provides peace of mind against losing integrations that have been developed because with LTS, no new features are added. If the device already has the functionality you require, LTS is the recommended support option.
No equipment lasts forever. Innovation drives technology change and this is where we see opportunities arise. While operational features to address business problems are often high on an organisation’s agenda, a robust business case is always required. Even then, budget approval at board-level may not be given. However, reflecting on the risk posed by not updating the technologies with a cybersecurity focus, rather than focusing on operational efficiencies, may be a more effective approach to securing the investment.
‘End of’ considerations and opportunities
Two further considerations when looking to support your client around equipment replacement strategies include end of life equipment and end of support equipment. Understanding the difference helps explain how opportunities can be leveraged and presented to your clients.
End of life
End of life (EOL) is a term indicating that the vendor will stop selling the product, usually when a new offer becomes available. Organizations using technology that has reached EOL shouldn’t panic, as it often means that a better alternative is available. Neither should EOL impact a manufacturer’s warranty period.
End of support
Alternatively, end of support (EOS) is when the vendor ceases support for a product or service and typically, this refers to hardware and software. While a credible manufacturer will document the EOS date when they advise that a product will reach end of life, it’s vital for an organization to keep track of the EOS periods relating to technologies deployed across their enterprise. This is because EOS is the point that the vendor will cease support with firmware updates and patches, opening the risk of exploitations and data breaches. For this reason, EOS is a key factor for stakeholders responsible for the IT policies and cybersecurity strategy of a site to consider.
At some point, all software will become out of date and obsolete. When it reaches this stage, a recommendation from the UK National Cybersecurity Centre, the equivalent of The European Union Agency for Cybersecurity (ENISA), is that it should not be used. The organization acknowledges that this isn’t always possible, but they highlight the problems of using obsolete software as follows:
- The software will no longer receive security updates from its developers, increasing the likelihood that exploitable vulnerabilities will become known by attackers
- The latest security mitigations are not present in older software, increasing the impact of vulnerabilities, making exploitation more likely to succeed, and making detection of any exploitations more difficult.
In combination, these issues mean that high-impact security incidents become more likely to occur, including malware that’s developed to exploit ‘wormable’ vulnerabilities, which can cause catastrophic consequences across an entire organization.
Most large organizations understand that software and hardware have a shelf life and are keen to build a hardware replacement strategy into annual budgets to mitigate any unnecessary risk. This creates an opportunity for maintenance providers to support their client when looking to upgrade to newer technologies.
For organizations that don’t have a lifecycle management program in place, this offers a security system integrator the opportunity to proactively support its customers and advise when a technology refresh will be needed. This allows planning time for budgets to be allocated and projects to be secured to maintain the security integrity of the systems deployed.
Demonstrate your cybersecurity support
The topics of Cybersecurity and GDPR compliance is high on the agenda of most, if not all, end users. Being able to demonstrate your awareness and understanding of these challenges and how you plan to support your clients with their cybersecurity strategy can only help to positively differentiate your offer.
By utilizing the free tools that Axis provides, you will not only safeguard your customers when looking at the risks posed by cyberattacks and data breaches, but you can become a trusted advisor and partner. The Axis tools will enable you to support customers with replacement strategies for EOS equipment and allow the security and IT functions to plan accurate budgets in advance. For you, it can provide better visibility of future projects and lead to an increased number of service and maintenance contracts.