Companies face many security vulnerabilities from external and internal threats with potentially severe consequences and financial costs, to loss of life, to disclosure of intellectual property. A data breach is one of the vulnerabilities we hear about most often. According to a 2020 study from IBM and the Ponemon Institute, the average cost of a data breach within the pharmaceutical industry was $5 million and the cost of a breach for a singular company was as high as $1.3 billion!
As security consultants, we have seen many large companies who have gaps in their security programs that could leave them vulnerable to major breaches, both cyber and physical. Here are five questions that your organization should consider in evaluating how sound your security program is. At TEECOM, we can provide a detailed security assessment to determine exactly where your vulnerabilities lie and how best to address them to help protect your business.
1. When Was the Last Time Your Critical Passwords Were Changed?
Shockingly, some of the largest companies do not know the answer to this question. We have seen a company realize they had been using the same password for all of its access control and video camera servers for the past 10 years! Every technician that had worked on the system had that password and potentially wrote it down or shared it with others. Most security managers do not have a policy to change passwords at regular intervals or a procedure to verify that passwords were changed on all devices.
2. How old is your security system?
As the world changes and evolves, so does technology – a security system that protected a company five to 10 years ago, no longer provides top-of-the-line benefits. In addition to outdated technology, proprietary hardware may leave a company unable to seek competitive bids on maintenance agreements and prevent integration with new subsystems. Companies may be stuck on dated dedicated IT hardware, making it very expensive to provide redundancy and failover protection. A cloud-based system would be easier to manage and scale, and as the building becomes smarter, would pull data from other building systems (occupancy sensors, lighting controls, HVAC, desk hoteling systems) into a data warehouse/lake.
The time may have come to make another technology decision and invest tens of millions of dollars to protect your organization over the next five to 10 years. To strategize that decision (and potentially plan for the rollout of upgrades), the company needs fully qualified subject matter experts who have your best interest as their guiding priority.
3. Does Your In-House Subject Matter Expert Have All-Encompassing Expertise?
When it comes to designating security leadership, companies often select the person in-house whose experience most closely fits the desired qualifications, rather than recruiting someone who fully meets the qualifications. As time goes by, the company finds itself dissatisfied with the state of its security.
The internal expertise may be limited to that individual’s project experience. They may have spent their career entirely on the Owner side and therefore lack the knowledge to efficiently lead the design and construction process. Many have only worked on one major construction project in their career. They might not be familiar with various delivery models (design-bid-build, design-build, CM-at-risk) and the challenges associated with each process. They may not be in on the latest industry trends, cybersecurity best practices, project management processes, and how to leverage the latest technologies and design tools to benefit the project and company as a whole.
Without a subject matter expert with the right type and amount of experience who will guide the decision-making process in the best interest of the company (and whose expertise costs a small percentage of the total implementation cost), you could be at the mercy of someone with a financial interest in selling you products.
4. Are You Accessing Your System’s Full Potential?
We have found companies that have invested in expensive security systems actually utilizing no more than 10 to 20% of the system’s full capabilities, not receiving the full value of their investment and leaving them much more vulnerable than they think. For instance, doors might not be reporting alarm events while cameras and card readers might not be integrated. Maximization of all of the system’s capabilities will enable “event-driven security.”
5. Is Your Maintenance Agreement Protecting Your Investment?
In many cases, we have found that systems were installed without proper documentation. This leaves the legacy installer as the gatekeeper for system maintenance and updates. Without documentation, the company cannot issue a maintenance agreement RFP for competitive bidding. This leaves the company vulnerable if the maintenance provider is not keeping your system up to date with the current standard of care. It can also lead to companies overpaying for this substandard level of care. Many companies also lack metrics to measure things like service response times, call closing rates, and spare parts costs, which reflect the value received for the cost of the maintenance agreement.
TEECOM Can Help
Let’s talk! Our security experts can perform an initial assessment of your program to determine where security vulnerabilities exist and what the best approaches to addressing them are. To schedule a conversation, contact us using the form at the bottom of the page.