Are These Security Vulnerabilities Putting Your Company at Risk?

Jeff Smith

Companies face many security vulnerabilities from external and internal threats, and some of them can have severe consequences, from financial costs, to loss of life, to disclosure of intellectual property. A data breach is one of the types we hear about most often. The average cost of a data breach for a pharmaceutical company is $5 million according to a 2020 study from IBM and the Ponemon Institute. For one company, the cost of a single breach was as high as $1.3 billion.

In our experience as security consultants, many large companies have gaps in their security programs that could leave them vulnerable to major breaches, whether cyber or physical. In this article, we present five questions to consider in evaluating how sound your company’s security program is. A security assessment from a professional security consultant such as TEECOM can determine exactly where your security vulnerabilities lie and how best to address them.

1. When Was the Last Time Your Critical Passwords Were Changed?

Shockingly, some of the largest companies do not know the answer to this question. We have seen a company find out it had been using the same password for all of its access control and video camera servers for the past 10 years. Every technician that had worked on the system had that password and potentially wrote it down or shared it with others. Most companies have not verified that all of their security device default passwords have been changed. Most security managers do not have a policy to change passwords at regular intervals and a procedure to verify that the default password was changed on all devices.

2. Is an Outdated System Leaving You Vulnerable?

A company might have made a technology decision five to 10 years ago that was a very sound decision at the time and has protected the company well, but as the world has changed, that system does not provide all the benefits it used to. Proprietary hardware may leave a company unable to seek competitive bids on maintenance agreements and prevent integration with new subsystems. Companies may be stuck on a dated dedicated IT hardware, making it very expensive to provide redundancy and failover protections. A cloud-based system would be easier to manage and scale, and as the building becomes smarter, would pull data from other building systems (occupancy sensors, lighting controls, HVAC, desk hoteling systems) into a data warehouse/lake.

The time may have come to make another technology decision and invest tens of millions of dollars to protect your organization over the next five to 10 years. To strategize that decision (and potentially plan for the rollout of upgrades), the company needs fully qualified subject matter experts who have your best interest as their guiding priority.

3. Does Your In-House Subject Matter Expert Have All-Encompassing Expertise?

For security leadership, it is common for companies to select the person in-house whose experience most closely fits the desired qualifications, rather than recruiting someone who fully meets the qualifications. As time goes by, the company finds itself dissatisfied.

The internal expertise may be limited to that individual’s project experience. They may have spent their career entirely on the Owner side and therefore lack the knowledge to efficiently lead the design and construction process. Many have only worked on one major construction project in their career. They may not be familiar with various delivery models (design-bid-build, design-build, CM-at-risk) and the challenges associated with each process. They may not be aware of all the latest industry trends, cybersecurity best practices, project management processes, and how to leverage the latest technologies and design tools to benefit the project.

Without a subject matter expert with the right type and amount of experience who will guide the decision-making process in the best interest of the company (and whose expertise costs a small percentage of the total implementation cost), you are at the mercy of someone with a financial interest in selling you products.

4. Are You Underutilizing the System You Invested In?

We have found companies that have invested in expensive security systems actually utilizing no more than 10 to 20% of the system’s full capabilities, not receiving the full value of their investment and leaving them much more vulnerable than they think. Doors might not be reporting alarm events, for instance. Cameras and card readers might not be integrated.

Maximization of all of the system’s capabilities will enable “event-driven security.” Studies show that no more than six cameras (out of potentially 500) can be actively monitored by a person. With event-driven security, a breach alerts the person, shows where on the map it occurred, automatically displays images of the alarm event, and calls up “post orders,” which indicate the initial guard force response to the particular situation. Very few companies have this in place, and it can be implemented on most integrated systems without significant additional cost.

5. Is Your Maintenance Agreement Protecting Your Investment?

In many cases, systems were installed without proper documentation. This leaves the legacy installer as the gatekeeper for system maintenance and updates. Without documentation, the company cannot issue a maintenance agreement RFP for competitive bidding. This leaves the company vulnerable if the maintenance provider is not keeping your system up to date with the current standard of care. It can also lead to companies overpaying for this substandard level of care. Many companies also lack metrics to measure things like service response times, call closing rates, and spare parts costs, which reflect the value received for the cost of the maintenance agreement.


We bring the following advantages to serve our clients’ programs:

  • Our security subject matter experts bring decades of expertise, spanning many market sectors (healthcare, higher education, life science and technology, transportation, and workplace), as well as Owner, design, and contractor experience.
  • We conduct security assessments to determine any vulnerabilities in existing programs.
  • We provide comprehensive documentation to help contractors install correctly and enable the Owner to consistently replicate the security system installations across the organization.
  • We help our clients develop guidelines and standards that enable them to deliver global programs with a consistent user experience and greater ease of long-term maintenance.
  • We rigorously coordinate designs with all AEC partners involved in the project to mitigate change orders.
  • We collaborate with the Owner to understand their business objectives and how the project can advance those goals.
  • We act as an extension of in-house teams to prevent them from becoming overloaded and allow them to focus on what they do best while they leverage our expertise for only the hours they need.
  • We use Asana, a cloud-based unified task management tool that makes our work for our clients more efficient and consistent and our cost estimates more accurate.
  • With in-house research and development, we understand the latest trends and technologies in the industry. We choose technologies (security, IT, AV, acoustics, network, wireless) that are cost-effective, scalable, and provide actionable data.

Let’s have a conversation. Our security experts can perform an initial assessment of your program to determine where security vulnerabilities exist and what the best approaches to addressing them are. To schedule a conversation, use the Contact TEECOM form at the bottom of the page.

Jeff Smith
Jeff Smith, Principal, Vice President

Jeff puts his decades of experience across all physical security disciplines to work creating systems that will last for the lifespan of his clients’ buildings. He started his career as a technician doing field implementation, a perspective that informs his approach to usability and efficiency. Jeff oversees the entire security department at TEECOM and ensures that the security component of all projects is integrated within the overall technology system.