This month Simon Banks talks to Mike Gillespie, Founder of Advent IM Ltd the UK's leading independent information security and physical security consultancy. Mike is also Vice President of ‘The Centre for Strategic Cyberspace + Security Science’, where he promotes thought leadership and awareness to a global audience on the current threats to organisational information assets emanating from cyberspace.
As an expert in cyber research and strategy, what basic advice would you give to Security Installers looking to protect themselves, their core business and their customers from cybercrime?
Stay in touch with the threat landscape and understand the nature, various sources and capabilities of the threat posed from cyberspace. Implement good quality, basic cyber security controls as well as secure cyber essentials and certification. Leave all installations in a secure state and never with default passwords or ‘admin’ as the user. I have seen ‘admin’ as a user on compromised accounts innumerable times! Invest in specific, well designed training rather than out of a box generic training. Make sure that Cyber Security teams have sight of any systems that require updates, patching or are connected or web-enabled. The gaps between physical systems and non-physical security teams is one that is very easily exploited by criminals but with some quality communications, one of the most straightforward to start to rectify.
There are multiple threats through cybercrime in everyday life, what specific threats challenge the Fire and Security industry?
Fire and security systems are increasingly joined up and interconnected. This makes them an attractive target for criminals and terrorists. They also generate a huge amount of data that is attractive to nefarious groups, such as hackers. These systems often get connected to corporate networks, which makes them worryingly easy to exploit and provide a route to access very valuable or sensitive information. This could be research or other valuable intellectual property, or perhaps customer databases, employee personal, health or financial information. We have seen exposure of this type have devastating effects on a business. This kind of exploitation is often a result of kit being manufactured without adequateb security, coupled with lack of security training on the behalf of the installer and a basic lack of knowledge about the threat from cyberspace.
There have been several high profile cyber-attacks recently, what can security manufacturers’ do to help Installers combat this threat?
We need manufacturers to be moving toward secure by design; individual components are time and again proven to be vulnerable. Until we accept that responsibility - this does not lie with the end-user - we will continue to move vulnerable and insecure kit. The industry needs to develop an intuitive means by which security patches can be made available to ensure systems can be kept secure. The cost of managing systems through their lifecycle needs to be factored into ongoing costs. The cost does not end at installation, neither does it end when the system is no longer needed. It may require secure destruction, or some of the data it generates or hard drives it uses might. Make sure that users know that they need to consider all of this when they are seeking specifications for systems.
“Prism Alarms monitoring the situation! Ready to install some @CSLDualCom monitoring from DigiAir to GradeShift G4”
Tweeted by @PrismAlarms – Oct 26