Tenable, Inc., the globally renowned cyber exposure company, has published a global industry study that revealed the vast majority of UK organizations (96%) have experienced a business-impacting cyber-attack in the past 12 months, according to both business and security executives.
The data is drawn from ‘The Rise of the Business-Aligned Security Executive’, a commissioned study of more than 800 global business and cyber security leaders, including 103 respondents in the UK, conducted by Forrester Consulting on behalf of Tenable.
‘The Rise of the Business-Aligned Security Executive’
As cybercriminals continue their relentless attacks, 63% of respondents in the UK have witnessed a dramatic increase in the number of business-impacting cyber-attacks over the past two years.
Unfortunately, these attacks had damaging effects, with organizations reporting loss of employee data (44%), financial loss or theft (36%) and customer attrition (34%). 65% of security leaders in the UK say these attacks also involved operational technology (OT).
Countering the growing rate of cyber-attacks
Fewer than 50% of security leaders said they are framing cyber security threats within the context of a specific business risk
Business leaders want a clear picture of how at risk they are and how that risk is changing as they plan and execute business strategies. But only four out of 10 of local security leaders say that they can answer the fundamental question, ‘How secure, or at risk, are we?’ with a high level of confidence, despite the prevalence of business-impacting cyber-attacks.
Looking at global respondents, fewer than 50% of security leaders said they are framing cyber security threats within the context of a specific business risk. For example, though 96% of respondents had developed response strategies to the COVID-19 pandemic, 75% of business and security leaders admitted their response strategies were only ‘somewhat’ aligned.
Measuring and managing cyber security
Organizations with security and business leaders who are aligned in measuring and managing cyber security as a strategic business risk deliver demonstrable results. Compared to their siloed peers, business-aligned security leaders are:
Eight times more likely to be highly confident in their ability to report on their organizations’ level of security or risk.
90% are very or completely confident in their ability to demonstrate that cyber security investments are positively impacting business performance compared with 55% of their siloed counterparts.
85% have metrics to track cyber security ROI and impact on business performance versus just 25% of their siloed peers.
Organizations with business-aligned cyber security leaders are also:
Three times [3.2x] more likely to ensure cyber security objectives are in lock step with business priorities.
Three times [3.3x] more likely to have a holistic understanding of their organization’s entire attack surface.
Three times [3.3x] more likely to use a combination of asset criticality and vulnerability data when prioritizing remediation efforts.
In the future, there will be two kinds of CISO - those who align themselves directly with the business and everyone else"
“In the future, there will be two kinds of CISO - those who align themselves directly with the business and everyone else. The only way to thrive in this era of digital acceleration is to bring cyber into every business question, decision and investment,” said Renaud Deraison, Chief Technology Officer and Co-Founder, Tenable, Inc.
Renaud adds, “We believe this study shows that forward-leaning organizations view cyber security strategy as essential to innovation and that when security and the business work hand-in-glove, the results can be transformational.”
Study to examine cyber security strategies
Forrester Consulting conducted an online survey of 416 security and 425 business executives, as well as telephonic interviews with five business and security executives, to examine cyber security strategies and practices at midsize to large enterprises in Australia, Brazil, France, Germany, India, Japan, Mexico, Saudi Arabia, the UK and the US. The study was fielded in April 2020.
‘Business-impacting’ relates to a cyber-attack or compromise that results in a loss of customer, employee, or other confidential data, interruption of day-to-day operations, ransomware payout, financial loss or theft, and/or theft of intellectual property.
Aqua Security, the pure-play cloud-native security, announced that its Cloud Native Security Platform is available through Red Hat® Marketplace, an open cloud marketplace that makes it easier to discover and access certified software for container-based environments across the hybrid cloud.
Built in partnership by Red Hat and IBM, Red Hat Marketplace is designed to meet the unique needs of developers, procurement teams and IT leaders through simplified and streamlined access to popular enterprise software products, including the Aqua Platform.
Prevent suspicious activity
The Aqua Platform provides full visibility into application activity, allowing organizations to detect and prevent suspicious activity and attacks, providing transparent, automated security while helping to enforce policy and simplify regulatory compliance. Aqua’s native integration with OpenShift provides a full-stack security solution for the joint customers, automating security controls in CI/CDs like OpenShift Pipelines and enforcing application immutability in production.
The Red Hat Marketplace makes it easy for users to find and purchase the Aqua Platform, and they can then use the on-demand deployment capability to install and evaluate Aqua with zero-touch and minimal configuration. Existing customers can also use the same on-demand, zero-touch environment to purchase additional licenses.
Growing business efficiently
“Enterprise buying patterns are increasingly shifting toward automated, online billing mechanisms that allow companies to leverage existing cloud or services budgets, as well the flexibility to utilize OPEX budgets for software purchases when necessary,” said Dror Davidoff, CEO and co-founder of Aqua. “By working more closely with our industry-leading partners like Red Hat and IBM, we are able to leverage the multitude of sales platforms they offer to help accelerate time-to-value for our joint customers while growing our business efficiently.”
“We believe Red Hat Marketplace is an essential destination to unlock the value of cloud investments,” said Lars Herrmann, senior director of technology partnerships, Red Hat. “With the marketplace, we are making it as fast and easy as possible for companies to implement the tools and technologies that can help them succeed in this hybrid multi-cloud world. We've simplified the steps to find and purchase the Aqua Platform that is tested, certified and supported on Red Hat OpenShift, and we've removed operational barriers to deploy and manage Aqua on Kubernetes-native infrastructure to secure your applications.”
All solutions available through the Red Hat Marketplace have been tested and certified for Red Hat OpenShift Container Platform, allowing them to run anywhere OpenShift runs.
During the Black Hat USA 2020 Virtual Event, Exabeam, the Smarter SIEM™ company, announced that customers can now license its cloud SIEM technology by use case, beginning with licensable use cases for expedited insider threat and compromised credential detection. In addition, to simplify the process of acquiring and installing critical security content, the company is unveiling the new Exabeam Content Library, an easy-to-use security content repository to help organizations deploy advanced use cases more efficiently. Exabeam use case content increases threat visibility and enables security operations center (SOC) teams to extract more value from their SIEM.
According to the ‘Exabeam 2020 State of the SOC Report,’ security managers and analysts rated their ability to create content the lowest among all hard skills, yet creating rules and models to detect advanced threats, like lateral movement and credential switching, is critical to their security maturity. By providing a simple way to acquire the content needed to detect and remediate these critical security use cases, Exabeam is speeding the time to maturity for organizations.
Security business needs
“Security use cases for a SIEM tool should be a priority in the CISO’s tool box, and should not only cater to basic security hygiene, for which best practices exist, but also cater to the business needs of the organization,” wrote Gorka Sadowski, senior director analyst at Gartner in a Gartner report.
The Content Library is an online repository of knowledge and content that organizations can use to roll out new use cases. The initial release allows customers to quickly map data sources to security use cases and to download the necessary parsers. Exabeam is also announcing new, easy-to-implement content and tools to help customers maintain security as they adapt to a remote workforce.
Investigate data exfiltration
Exabeam is further enabling security teams to rapidly obtain value by detecting insider threats"
Exabeam Cloud Connector for Code42 allows security teams to quickly detect and investigate data exfiltration by departing and remote employees, as well as the leak of high value data during a merger or acquisition. This announcement follows the previous release of the Exabeam Cloud Connector for Zoom. The ability for Exabeam solutions to easily plug into existing security environments enhances SOC team speed and efficacy.
“New research shows that one-third of organizations have been hit with successful cyberattacks since the forced move to work from home. As security teams rush to respond to the pandemic and the increase in threats, it is critical that they find cost-effective ways to strengthen and mature their security posture,” commented Adam Geller, chief product officer, Exabeam. “In announcing these innovations, Exabeam is further enabling security teams to rapidly obtain value by detecting insider threats and compromised credentials and improving their security posture for remote employees.”
“Unlike other SIEM vendors, Exabeam has allowed us to quickly add analytics to detect and investigate insider threats without having to replace our existing log management investment,” explained Director Damien Manuel, Cyber Security Research and Innovation Center at Deakin University. “That’s a critical capability in the context of constantly evolving risks and potential vulnerabilities, and it gives us a smarter strategy to protect our organization, employees, customers and data.”
Exabeam has also released the first of its previously announced Turnkey Playbooks, automated solutions for common security investigations that do not require third-party licenses or configuration. The new Turnkey Playbook for Threat Intelligence automatically identifies malicious domains, IP addresses, URLs, files, and email addresses with no additional configuration or third-party threat intelligence licenses required.
Sectigo, a renowned provider of automated digital identity management and web security solutions, has partnered with ReFirm Labs to help device original equipment manufacturers (OEMs) ensure security and compliance. Under the agreement, Sectigo’s customers will now have access to ReFirm Lab’s firmware scanning tools to analyze device firmware and detect known vulnerabilities, out-of-date open source components, hard-code encryption keys, expired certificates, and potential zero-day vulnerabilities.
Device firmware presents a largely unprotected attack surface that hackers can use to gain access to - and move laterally within - corporate or critical infrastructure networks.
End-to-end IoT security platform
The explosion of connected devices has escalated this risk, leading industry groups, including the U.S. Cyberspace Solarium Commission, to recommend stronger regulatory enforcement and clearer baseline standards and guidance for IoT device manufacturers and their supply chains to combat attacks on device firmware.
Sectigo’s IoT security platform was created to deliver end-to-end security for every connected device"
ReFirm Labs’ Centrifuge Platform provides an automated platform to analyze IoT / embedded device firmware to identify potential cybersecurity vulnerabilities before OEMs release firmware updates, and before deployment onto device operators’ networks. Sectigo IoT Identity Platform is the industry’s first end-to-end IoT security platform, offering both embedded device identity and integrity technologies, as well as purpose-built certificate issuance and management.
Embedded firewall technologies
By combining the two platforms, OEMs using both Sectigo and ReFirm Labs platforms are able to:
Create more secure embedded software
Guarantee the integrity of device software and validity of certificates at boot, and in software updates
Protect the device by operating through secure boot, secure storage, and embedded firewall technologies
Detect hard-code encryption keys, expired certificates, and other security vulnerabilities
Ensure compliance with a growing number of IoT security standards, such as NIST 8259, OWASP IoT Top 10, and ISA/IEC 62443
“Sectigo’s IoT security platform was created to deliver end-to-end security for every connected device, at the point of manufacture and throughout the entire lifecycle,” said Alan Grau, VP of IoT/Embedded Solutions, Sectigo. “By teaming with ReFirm Labs, we are enabling device OEMs to address security and compliance requirements using a comprehensive solution that works across every stage of the device lifecycle.”
IoT device firmware
“Our partnership with Sectigo is an important advancement in addressing the growing market and regulatory pressure that is forcing device OEMs to adopt best practices for developing secure IoT device firmware. Using ReFirm Labs’ Centrifuge Platform, our OEM customers are able to uncover the vulnerabilities in IoT devices."
"They can then address those problems using Sectigo’s IoT Security platform, and ultimately implement higher levels of security and achieve compliance with new standards for device security,” explained Derick Naef, CEO, ReFirm Labs.
The modern working world has evolved dramatically over the last few decades - from how and when we work, to the places we work from. Widespread internet connection advances, alongside the growth of cloud-based shared working platforms, have not only created the possibility for increasingly flexible working arrangements, but also fueled a desire to do so – particularly among millennials.
The preference for flexible working has now created a widespread need for more agile workforces, saddling IT departments around the world with the task to maintain ‘business as usual’ without compromising corporate privacy.
With flexible working forecasted to stay for the long haul and passwords increasingly under scrutiny, evaluating alternative secure authentication methods to keep companies’ data and networks safe is important to protect these ‘new normal’ ways of working.
The end of the humble password?
A recent report by Raconteur found that the most common method of authentication for securing the digital aspects of workplaces is passwords.
Unfortunately, however, between phishing, hacking and simple guesswork, passwords are easily compromised – a problem that is only getting worse, with IT professionals reporting an increase in phishing attacks in the last few years. Once compromised, passwords can be used to enter untrusted apps or websites and, worst and most commonly of all, give rise to even greater data breaches.
Between phishing, hacking and simple guesswork, passwords are easily compromised
Alongside security concerns, 6 in 10 people worry about forgetting their passwords and, according to a recent Balbix study, 99% of people reuse the same password across different work accounts. This, undoubtedly, is a side effect of the increasingly complex character requirements implemented by many enterprises. This stress and effort leads to frustrated employees, but, more worryingly, forgotten passwords can also cost IT departments millions of dollars a year.
In our flexible, hyper-connected world, it is clear then that the humble password is no longer effective. Additional or alternative layers of authentication are needed to help enterprises maintain their workplace security in a more convenient and cost-effective way.
Smarter workplace authentication with biometrics
Often, hacking incidents involve the use of stolen credentials. One authentication solution that could bring an end to these large-scale hacking attacks is biometrics, as unique biological traits are extremely hard to steal and spoof.
In addition to being a more secure method to authenticate users and prevent fraud in companies’ networks, it is also possible to layer biometric modalities to create a highly convenient and secure multi-modal authentication solution for sensitive areas or information. Spoofing two biometric modalities, such as fingerprint and iris, in the same attack is virtually impossible, but that doesn’t mean this level of security needs to impair the UX. After all, you can put your finger on a touch sensor, while at the same time glancing at a sensor.
For businesses, biometrics can be used in a wide variety of use cases, from securing laptops and applications to authenticating employees at secured access and entry points. It can also be used to add frictionless layers of additional security to any aspect of current security systems, such as key fobs or USB sticks, or to access personalized settings or employee accounts when using shared devices, such as a printer system. This way, beyond playing a role in securing the modern workplace, biometrics can also give employees greater flexibility and convenience over how, when and where they work.
Privacy and biometrics - explained
Many employers and employees worry about safeguarding privacy in the workplace. Considering biometric data is highly personal, it is no wonder, then, that many are concerned about collecting this data for the purpose of workplace security and what liabilities this may expose them to.
For businesses, biometrics can be used in a wide variety of use cases, from securing laptops and applications to authenticating employees
Employers must adhere to the relevant workplace privacy laws, such Europe’s GDPR, and this duty extends to biometrics, of course. But, providing biometrics is implemented in line with best practice, it can actually protect employees’ privacy far more effectively than its predecessor, passwords.
When employers use an on-device approach, their employees can rest assured no one will be able to access or steal their biometric data, as all biometric data is stored and processed on the device - whether that is a laptop, smartphone, USB stick or key fob. Removing the need for data to ever enter the cloud, this also removes the technical and legal complexities of managing a biometric database and, if a key fob is lost for example, all parties can rest assured there is no chance of anyone else being able to use it. A win-win.
Precisely because biometric data is so difficult to steal and spoof, adding biometric authentication to end-point devices can considerably reduce data breaches to keep both sensitive employee and corporate data safe and secure.
Reimagining workplace security
As people work more flexibly, systems are shared more frequently, and attacks get smarter, it is clear to see that passwords alone are no longer enough to secure the modern-day workplace.
Adding biometric authentication to end-point devices can considerably reduce data breaches
Now is the time to reassess the physical and logical access control infrastructure. To keep personal and corporate data safe, it is crucial to add new and additional authentication methods to the security infrastructure. Luckily, the benefits of biometrics are often far simpler to realize than many enterprises imagine.
The beauty of biometrics is its combination of both security and convenience. Compared to other forms of authentication, biometrics offers considerably stronger protection and an enhanced UX that can easily be integrated into existing enterprise security infrastructure – without the need for huge biometric databases to manage or fear.
So, whether to replace outdated passwords or as part of a multi-modal authentication system, biometrics can play an important role in pushing workplace security into a new era for both physical and logical access control.
COVID-19 has been a thorn in the side of countless companies within the security industry and far beyond. Here, we speak with Richard Huison, Regional General Manager for the UK and Europe at Gallagher Security, who summises his personal experience from these recent months and how Gallagher has adapted in the face of pandemic-induced adversity.
How has the COVID-19 crisis impacted Gallagher on a day-to-day basis?
Gallagher was actually well placed as a result of work already in progress with a number of visionaries and innovators within our business, such as our CIO Neville Richardson. They are determined to put the business on the front foot, making it more digital and proactive in delivering high speed change and we had already been migrating to Microsoft Teams before COVID-19 first reared its ugly head. It’s part of our philosophy to make our business and the solutions we create as stable, reliable and resilient as possible.
Gallagher has adapted to the new way of operating fairly seamlessly, while still working alongside the evolving guidance from governments around the world
It means Gallagher has adapted to the new way of operating fairly seamlessly, while still working alongside the evolving guidance from governments around the world. When lockdown was imposed, we set about prioritising our clients’ needs and delivering on our commitments as a critical supplier. The Gallagher leadership team quickly rolled out the means to stay connected, positive and safe as each region went into isolation. Effective communication, both internally and externally, has always been a critical success factor for our business. That hasn’t changed with the more remote and virtual nature of our communication now and, if anything, it’s even more important both for business continuity and for the personal wellbeing of each and every one of our colleagues.
We’ve quickly adapted to this new way of working and have even become quite adept at recognizing people’s contributions and acknowledging a job well done in new ways, such as using the emojis on Microsoft Teams.
Perhaps the most striking example of this is our new European marketing manager Bethan Thompson, who joined Gallagher on 1 April, little over a week after lockdown was imposed in the UK. She has enjoyed the richest and most comprehensive introduction to the business from the safety of her own home armed with just a laptop and Teams.
What can be the benefits of having employees working from home?
There are many benefits of working remotely with productivity right up the top of the list. By reducing the unproductive time spent commuting and traveling to meetings, we are able to get much more done in a day. Add to this the reduction in stress and improved work-life balance and it makes for an impressive formula of happier, healthier and more motivated colleagues. And it’s still easy to measure results no matter where someone is working.
We’ve quickly adapted to this new way of working and have even become quite adept at recognizing people’s contributions and acknowledging a job well done
To be honest, before COVID, we didn’t disconnect enough, close the laptop, switch off our technology and allow ourselves NOT to respond instantly. But trust is an integral part of our culture at Gallagher and we can easily and effectively continue to champion the right balance and support for the team moving forward.
How can employees ensure they keep a healthy work/life balance?
Working from home can require some personal discipline around taking regular breaks and disconnecting from technology. I encourage all my colleagues to stay active and get regular exercise during the day. Taking time out allows you to process ideas with greater clarity, to be more creative, to plan your day and use your time more effectively – all of which is part of achieving that balance.
And it’s important that we do switch off and close our laptop at the end of the day, which requires some discipline when you work for a business headquartered in New Zealand, where they are 11 hours ahead.
It’s good to cultivate hobbies and welcome distractions that you are passionate about, to switch off from work more effectively. Personally, I love to be outside on a long dog walk with no technology. It’s liberating.
Are you seeing that businesses are already beginning to think differently about their security?
We have to remember why security is important. We all have a different view on how we should maintain business continuity. Yes, properties need a reliable detection and defense solution to resist the opportunist. With the mass migration to work remotely, business leaders are concerned that their IT systems are vulnerable to attack and we read daily about the growth in cyber-attacks. It’s common sense to protect your business with a suitable access control and intrusion detection system and the pandemic has proven to business the value of being truly resilient and able to still operate whatever circumstances ensue.
What will be the biggest security challenges facing businesses over the next six months?
In that timeframe, I don’t see us returning to how things were prior to the pandemic, so businesses will have to adapt to a new normal. We will have to adopt a more holistic view of security, encompassing safety, security and wellbeing, with our teams at the heart of that. In the new world, how can we maintain our teams’ safety at home, or limit them to certain floor space or introduce rotas for office attendance and keep surfaces virus free while they’re there? We need to be alert to where the next threat will come from and mitigate risk against both cyber and biological threat as we’ve seen a virus in either domain can be devastating.
How is Gallagher meeting the evolving demands of the market?
To be honest, Gallagher has always been ahead of the curve. We’ve been talking about competencies, compliance and resilience for decades, long before cyber became the buzzword. Everything we do is related to business resilience and continuity and security is baked in to our products and solutions at source, providing confidence and reliability for all of our customers.
You are not alone: operators everywhere are asking themselves what are they going to do? How are they going to get back to business, and fast? How are they going to cost-effectively operate with all the new safety requirements that have arisen as a result of COVID? How are they going to ensure it all gets done for the safety of customers and staff? How are they going to protect their brand from the negative exposure of being identified as a property with a reputation for COVID?
The economic impact of COVID is expected to hit brick and mortar businesses the worst, as their businesses are dependent on people being physically present. According to a recent report by RBC, it is estimated that 70% of Americans expect to avoid public spaces, 57% of Canadians will be unwilling to attend conferences without a vaccine and 63% of people will prefer to drive vs fly.
This means, that for those of you in the business of travel, conferences, co-working spaces, retail stores, museums, art galleries, restaurants, sports arenas, hotels, cruises, airlines, resorts, theme parks, long-term care, education, etc. in the blink of an eye your approach to on-site safety just changed. To ensure your property is safe and secure, it is no longer just about access control, video surveillance and intruder alarms; it is also about sanitisation
To get back to business and operating at full capacity after COVID, operations must find a way to eliminate the fear, uncertainty and doubt in the minds of their customers and employees.
The affect of COVID-19 on safety and security
To safely get back to business, the Centers of Disease Control and Prevention (CDC) emphasis that all operations need a pandemic response planJust like cybersecurity has had a direct impact on the IT strategy and budget, COVID will have a direct hit on the operations strategy and budget. To ensure your property is safe and secure, it is no longer just about access control, video surveillance and intruder alarms; it is also about sanitization, the lines between the security and maintenance just blurred.
From customers, to employees, to government regulators, to management, the focus is now on operations and the sanitization policies, procedures and actions of the team. To put this change of priority into perspective, six months ago, sanitisation was not top of mind for people. Why, because it was not a life or death issue, we had other first world problems to garner our attention.
From an operations perspective if we enabled a sanitization issue to become significant enough to impact the safety of customers and staff and therefore the brand, then that was an operational choice versus a mistake.
Standards for sanitisation
Just like cybersecurity has had a direct impact on the IT strategy and budget, COVID will have a direct hit on the operations strategy and budgetThe issue is, today while the operating priority of sanitization has significantly increased, it is not measured and managed to the same standard as the other safety and security concerns across a business. Also, important to consider, while people may not hold an operation liable during this first wave, we can guarantee they are not going to be as understanding during the second wave or a future pandemic.
To safely get back to business, the Centers of Disease Control and Prevention (CDC) and the Occupational Health and Safety regulators emphasis that all operations need a pandemic response plan and should follow these simple guidelines:
Develop your plan
Implement your plan
Maintain and revise your plan
While this sounds simple enough, keep in mind that requirements are constantly evolving and will continue to do so for the foreseeable future, or at least until all the research is in. To create an emergency response plan for a pandemic, properties must first determine what needs to be sanitized.
The current requirements dictate that most surfaces and objects will just need a normal routine cleaning, it is only the frequently touched surfaces and objects like light switches and COVID has changed the game and made the digital transformation of operating procedures not a ‘nice-to-have’ but a must-havedoorknobs that will need to be cleaned and then disinfected to further reduce the risk of germs on surfaces and objects.
The challenge is when you step back and consider what people touch in a day; the list quickly grows. After only 30 minutes, I easily came up with a list of over 60 items that one could call ‘high touch’! If you think about it, the list is extensive; telephones, doorknobs, drawer handles, counters, pens, keypads, computers, etc. and the list is only going to get longer as the research comes in.
The challenge is when you step back and consider what people touch in a day; the list quickly grows
If we don’t change our ways, not only will we be doomed to continue making the same mistakes, but we will continue to be lost in paper and filing cabinetsTo scope the impact on operations as part of the plan, we must then find and identify all of those high touch things across the property. If we then combine that with the fact that CDC requires that all high touch locations must not only be cleaned more often, but that they also require that each location is first cleaned with soap and water, and then disinfected for one minute before finally being wiped down.
This means a one-minute task just turned into a 4-minute task, that must now be completed multiple times a day. From a resourcing perspective this adds up quickly, and operating efficiency must be a priority. Not to mention it is going to get very complicated to measure and manage especially.
Post COVID rules
Getting back to business is going to be complicated; lots to do, lots of moving parts and no technology to help. The fundamental challenge to keep in mind is not that the sanitization requirements have evolved, the real issue is that for most businesses this area has been left unchanged for generations.
Still today most rely on checklists, logbooks and inspections to manage the responsibilities of our front-line workers, which might have been fine before COVID. Post-COVID the rules have changed and so should the approach to managing physical operating compliance on the front lines. COVID like most physical operating requirements is tactical, detailed and specific; broad strokes, the honor system and inspections are not going to cut it.
The digital transformation
COVID has changed the game and made the digital transformation of operating procedures not a ‘nice-to-have’ but a must-have. If we don’t change our ways, not only will we be doomed to continue making the same mistakes, but we will continue to be lost in paper, filing cabinets filled with checklists, never to be seen again. Only with the right data can we significantly improve the operational decisions necessary to accelerate our return to full operating capacity.
At the end of the day, to fully recover, operations must eliminate the fear, uncertainty and doubt in the minds of customers and employees, only then can we really get back to business.
Within days, a rule will take effect that bans from U.S. government contracts any companies that “use” video products from Chinese companies Hikvision and Dahua. The Federal Acquisition Regulation (FAR) rule implements the “blacklist” (or “Part B”) provision of the National Defense Authorization Act (NDAA), which is understood in the security industry as prohibiting dealers and integrators that do business with the federal government from selling Chinese-made video products to any of their customers (even for non-government projects).
The rule, which is officially still interim, states: “On or after August 13, 2020, [federal] agencies are prohibited from entering into a contract, or extending or renewing a contract, with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”
Within days, a rule will take effect that bans U.S. government contracts any companies that “use” video products from Chinese companies Hikvision and DahuaFederal agencies issuing the rule are the Department of Defense (DoD), the General Services Administration (GSA) and the National Aeronautics and Space Administration (NASA). GSA provides centralized procurement for the federal government.
Because the COVID-13 crisis delayed issuance of the rule, the usual 60 days will not be allowed for public comment before the rule is implemented. However, public comments are welcome and will be addressed in subsequent rulemaking.
“Telecommunications equipment” refers to equipment or services provided by Huawei Technology or ZTE Corp, both Chinese telecommunications giants. The rule also specifies that it applies to “certain video surveillance products or telecommunications equipment and services produced or provided by Hytera Communications Corp., Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of those entities).” Hytera is a Chinese manufacturer of radio systems. Hikvision and Dahua are major international manufacturers of video surveillance equipment.
Limits and prohibitions
The rule states: “This prohibition applies to the use of … equipment or services, regardless of whether that use is in performance of work under a Federal contract.” In the industry, this clause is taken to mean that integrators that “use” any of the covered equipment are prohibited from selling to the government. “Use” presumably covers an integrator deploying the equipment in their own facilities and/or selling it to other customers. The rule also prohibits “service … related to item maintenance,” which in the case of a security integrator would include providing service contracts on previously installed systems.
Security Industry Association (SIA)
The Security Industry Association (SIA) comments: “Due to applicability [of the rule] to uses by entities with federal contracts even unrelated to their federal work, this broad interpretation is expected to have widespread impact on the contracting community across many sectors, as covered video surveillance equipment is some of the most commonly used in the commercial sector in the United States.”
Security integrators that do business with the federal government have largely anticipated the new rule and already switched their Chinese camera lines for NDAA-compliant competitors. However, as SIA points out, extensive common uses of the Chinese equipment in various commercial sectors raises additional concerns.
Easing compliance burdens
The interim rule adopts a “reasonable inquiry” standard when an offeror (government contractor) represents whether it uses covered equipment. “A reasonable As SIA points out, extensive common uses of the Chinese equipment in various commercial sectors raises additional concerns. inquiry is an inquiry designed to uncover any information in the entity’s possession about the identity of the producer or provider of covered telecommunications equipment or services used by the entity. A reasonable inquiry need not include an internal or third-party audit.” SIA notes that this provision may be aimed at easing the compliance burden by suggesting that contractors only need to inquire based on what information they already possess.
The new rule covers Paragraph (a)(1)(B), which has informally been referred to as the “blacklist” provision of the NDAA, the John S. McCain National Defense Authorization Act for fiscal year 2019. However, the “Chinese ban” provision [Paragraph (a)(1)(A)] already went into effect a year after the law was signed by President Trump (August 13, 2018). “Part A” covers use of Chinese-made products in fulfilling government contracts.
A growing threat
Seeking to justify the new restrictions, the FAR rule states: “Foreign intelligence actors are employing innovative combinations of traditional spying, economic espionage, and supply chain and cyber operations to gain access to critical infrastructure and steal sensitive information and industrial secrets. The exploitation of “Telecommunications equipment” refers to equipment or services provided by Huawei Technology or ZTE Corp, both Chinese telecommunications giantskey supply chains by foreign adversaries represents a complex and growing threat to strategically important U.S. economic sectors and critical infrastructure.”
SIA has urged a delay in implementing the “Part B” provision, stating: “The federal government estimates that it will cost contractors well over $80 billion to fully implement this prohibition on the use of certain Chinese telecommunications and video surveillance equipment, yet endless delays in publishing the rule now mean that federal suppliers have just weeks to understand and comply with the new rule, which raises as many questions as it answers.”
SIA continues: “Federal suppliers across a wide range of industries have increasingly concluded that Part B is unworkable without clarification of the scope and meaning of key terms in the provision, which the rule does not do enough to define. For example, Part B bans agencies from contracting with a provider that “uses” any covered equipment or service. This term is not clearly defined in law or regulation, yet contractors must certify compliance beginning Aug. 13, 2020.”
The Part B rule, which only applies to prime contractors, enables agency heads to grant a one-time waiver on a case-by-case basis, expiring before Aug. 13, 2022.
The global pandemic caused by the novel coronavirus is changing work environments to an unprecedented degree. More employees than ever are being asked to work remotely from home. Along with the new work practices comes a variety of security challenges.
Without the proper precautions, working from home could become a cybersecurity nightmare, says Purdue University professor Marcus Rogers. “Criminals will use the crisis to scam people for money, account information and more,” he says. “With more people working from home, people need to make sure they are practicing good cybersecurity hygiene, just like they would at work. There is also a big risk that infrastructures will become overwhelmed, resulting in communication outages, both internet and cell.”
Concerns about the coronavirus have increased the business world’s dependence on teleworking. According to Cisco Systems, WebEx meeting traffic connecting Chinese users to global workplaces has increased by a factor of 22 since the outbreak began. Traffic in other countries is up 400% or more, and specialist video conferencing businesses have seen a near doubling in share value (as the rest of the stock market shrinks).
Basic email security has remained unchanged for 30 years
Email is a core element of business communications, yet basic email security has remained unchanged for 30 years. Many smaller businesses are likely to still be using outdated Simple Mail Transfer Protocol (SMTP) when sending and receiving email. “The default state of all email services is unencrypted, unsecure and open to attack, putting crucial information at risk,” says Paul Holland, CEO of secure email systems provider Beyond Encryption.
“With remote working a likely outcome for many of us in the coming weeks, the security and reliability of our electronic communication will be a high priority,” says Holland. The company’s Mailock system allows employees to work from any device at home or in the office without concerns about data compromise or cybersecurity issues.
Acting quickly and effectively
As the virus spreads, businesses and organizations will need to act quickly to establish relevant communication with their employees, partners and customers surrounding key coronavirus messages, says Heinan Landa, CEO and Founder of IT services firm Optimal Networks. Employers should also enact proper security training to make sure everyone is up to speed with what’s happening and can report any suspicious online activity.
Reviewing and updating telework policies to allow people to work from home will also provide flexibility for medical care for employees and their families as needed.
Scammers, phishing, and fraud
An additional factor in the confusing environment created by the coronavirus is growth in phishing emails and creation of domains for fraud. Phishing is an attempt to fraudulently obtain sensitive information such as passwords or credit card information by disguising oneself as a trusted entity. Landa says homebound workers should understand that phishing can come from a text, a phone call, or an email. “Be wary of any form of communication that requires you to click on a link, download an attachment, or provide any kind of personal information,” says Landa.
Homebound workers should understand that phishing can come from a text, a phone call, or an email
Email scammers often try to elicit a sense of fear and urgency in their victims – emotions that are more common in the climate of a global pandemic. Attackers may disseminate malicious links and PDFs that claim to contain information on how to protect oneself from the spread of the disease, says Landa.
Ron Culler, Senior Director of Technology and Solutions at ADT Cybersecurity, offers some cyber and home security tips for remote workers and their employers:
When working from home, workers should treat their home security just as they would if working from the office. This includes arming their home security system and leveraging smart home devices such as outdoor and doorbell cameras and motion detectors. More than 88% of burglaries happen in residential areas.
When possible, it’s best to use work laptops instead of personal equipment, which may not have adequate antivirus software and monitoring systems in place. Workers should adhere to corporate-approved protocols, hardware and software, from firewalls to VPNs.
Keep data on corporate systems and channels, whether it’s over email or in the cloud. The cyber-protections that employees depended on in the office might not carry over to an at-home work environment.
Schedule more video conferences to keep communication flowing in a controlled, private environment.
Avoid public WiFi networks, which are not secure and run the risk of remote eavesdropping and hacking by third parties.
In addition to work-from-home strategies, companies should consider ways to ensure business cyber-resilience and continuity, says Tim Rawlins, Director and Senior Adviser for risk mitigation firm NCC Group. “Given that cyber-resilience always relies on people, process and technology, you really need to consider these three elements,” he says. “And your plan will need to be adaptable as the situation can change very quickly.”
Employees and their employers
Self-isolation and enforced quarantine can impact both office staff and business travelers
Self-isolation and enforced quarantine can impact both office staff and business travelers, and the situation can change rapidly as the virus spreads, says Rawlins.
Employees should be cautious about being overseen or overheard outside of work environments when working on sensitive matters. The physical security of a laptop or other equipment is paramount. “It’s also important to look at how material is going to be backed up if it’s not connected to the office network while working offline,” says Rawlins.
It’s also a good time to test the internal contact plan or “call tree” to ensure messages get through to everyone at the right time, he adds.
HID Global is introducing a new “flagship” line of access control readers as successors to the iCLASS line. The new HID Signo readers will support 15 different credentialing formats and communicate using the latest NFC (near field communication), BLE (Bluetooth Low Energy) and OSDP (Open Supervised Device Protocol) standards. HID Global says the new readers will simplify integration to more secure and mobile credentials.
HID Global has invested in a “future-proof” approach that both accommodates a variety of current market needs and can adapt to embrace new technologies as they come onto the market. The new line incorporates “all the hardware you need,” combining the capabilities of older generations of readers into a single product.
Simplifying the choice of readers
The new reader line seeks to simplify the choice of readers in a time when a variety of trends is complicating the access control market, from cloud systems to mobile access to identity management.
“We are simplifying the way we bring our products to market, and baking it all into our readers,” says Harm Radstaak, HID Global Vice President and Managing Director. “If an installer takes a reader out of the box and mounts it on the wall, it just works.”
We are simplifying the way we bring our products to market"
In designing the product, HID sought feedback from channel partners, installers, consultants and end users on how the new readers would function. In addition, the company sought advice from architects on the design of the product. Aesthetics and industrial design elements were a priority because they ideally reflect the quality and “promise” of how the product will perform.
Cybersecurity is another emphasis. The readers store cryptographic keys and process cryptographic operations on certified EAL6+ secure element hardware, and custom authentication keys can be used for organizations who prefer that level of control. EAL6+ certification is a designation of the Evaluation Assurance Level of an IT product or system (the highest score is EAL7). Signo also includes a velocity checking feature designed to mitigate and thwart brute force attacks.
“The new Signo line is a continuation of the journey we have been on,” says Radstaak. “It is the natural succession of what we have been doing for years, and it underlines our position in the market.” By natively supporting mobile credentials, the new product line reinforces HID’s commitment to mobile systems, which the company first brought to market in 2014. Signo readers also include Enhanced Contactless polling to support mobile credentials in Apple Wallet.
Embracing the OSDP standard, which was created in 2008, also addresses the growing customer need for bi-directional, secure communications. There is built-in support for OSDP Secure Channel as well as legacy Wiegand communication for organizations seeking to transition.
Signo incorporates support for most credential technologies globally, including Seos, credentials with HID’s Secure Identity Object, and a variety of 125kHz legacy technologies such as Indala and Prox.
The flexibility and openness of Signo is a response to the acceleration of new technologies entering the access control market. “If you look at new technologies in general, our market has been slow in adopting them,” says Radstaak. “However, with new entrants in the market, new technologies, new device manufacturers and artificial intelligence (AI), I believe the market is adopting new technologies much faster than before. Users are much savvier.”
Administrators will be able to remotely configure and diagnose readers
Radstaak says he expects market adoption of the new readers will be fast. “Customers have been waiting for this platform,” he says. “This has been a tremendous investment for HID Global, and it underlines our position in the market with its open platform, simplicity and future-proofing. We are prepared for whatever comes next technology-wise.”
With Signo readers, administrators will be able to remotely configure and diagnose readers as well as monitor status through a centrally managed and connected reader ecosystem.
As a member of the FiRA Consortium, HID Global has advocated bringing new technology to market based on the “fine ranging” capabilities of ultra-wideband (UWB) technology, which has applications in detection of the precise location or presence of a connected device or object. It’s the kind of technology that Signo platform’s “future-proofing” approach is geared to accommodate. “As the capability unfolds, we will be there to adapt,” says Radstaak.
ISONAS Inc., a globally renowned IP access control and hardware solutions provider, and part of the Allegion family of brands, has announced that the ISONAS Pure IP access control solution has been installed at a new flagship distribution center for Premier Packaging, an international packaging solutions company, with facilities in 14 locations nationwide.
ISONAS Pure IP access control
In the summer of 2018, Premier Packaging was looking to implement an access control system to help secure their brand-new 320,000-square-foot facility in Louisville, Kentucky. After working closely on a recent project with Orion Networks, a trusted IT infrastructure provider, Premier Packaging relied on their recommendation to implement a cutting-edge access control solution from ISONAS.
With no access control system in place at any of their 14 locations and a combination of office workers, support staff, truck drivers and warehouse employees entering and existing the building daily, a process to control access was a necessity.
Monitoring and tracking visitors to distribution center
A major challenge facing the new distribution center was truck drivers, who came into the facility, were not company employees. With on average 250 people coming in and out of the new facility in Kentucky daily, monitoring and tracking who those people were and if they belonged there was imperative.
They were also looking for the flexibility to manage the locking and unlocking of doors remotely, rather than having to rely on physical keys. “After comparing ISONAS to other access control systems out there, we knew that ISONAS was the right flexible access control solution to meet Premier Packaging’s security needs,” states Brock Jamison, VP and Director of Sales at Orion Networks.
ISONAS RC-04 reader-controllers installed
ISONAS Pure Access software was implemented to give the packaging company remote access capabilities
The initial project consisted of 18 ISONAS RC-04 reader-controllers installed at their new distribution center in Louisville. The RC-04 reader-controllers from ISONAS delivers advanced technical functionality with an easy installation process.
In addition to the ISONAS hardware, the ISONAS Pure Access software was implemented to give the packaging company remote access capabilities.
Pure Access, ISONAS’s industry-renowned software, is a cloud-based access control application that provides users the ability to manage their access control from anywhere at any time, on any device.
“We are extremely happy that our unique access control solution could help Premier Packaging improve safety and security at their new distribution center seamlessly,” states Jonathan Mooney, ISONAS Sales Leader.
ISONAS cloud-based platform
By using both the ISONAS hardware and software solution together, Premier Packaging was able to improve security and keep employees safe. With the ISONAS cloud-based platform, Premier now required all Louisville employees to enter the building using their ID badges to gain access.
If an employee was not in the database and verified, then access would be denied. Future plans include rolling out the ISONAS access control solution to additional buildings and possibly integrating it with other security systems.
With Razberi Monitor™, security professionals can securely and remotely monitor their physical security network during a time of social distancing. IT professionals can quickly review the cyber posture data in case of a cyber-breach. Razberi Monitor™ provides secure, remote visibility into the availability, performance, and cyber posture of servers, storage, cameras, and other networked security devices.
The tool simplifies the monitoring and support of a multi-site enterprise security system, predicts and prevents problems for security professionals while providing a centralized view that benefits both IT and Physical Security departments.
We have listened to the surveillance industry and created our software platform to enhance relationships"
According to Tom Galvin, Chief Product Officer, Razberi Technologies, "We have listened to the surveillance industry and created our software platform to enhance relationships and align Physical Security and IT departments. Razberi Monitor allows security professionals to be proactive by predicting problems."
Aligning network and surveillance departments
Razberi Monitor's software platform, paired with Razberi's video recording and switch appliances, has enabled Tropical Shipping to save on the cost of sending maintenance crews to check on potential issues in their US and Caribbean facilities.
"Our network is highly distributed across the US and Caribbean with up to 125 users viewing camera feeds at one time. Razberi Monitor has helped us increase our camera uptime assurance and align our network and surveillance departments," said Chad Nelson, Director of Security, Facilities and Cargo Compliance, Tropical Shipping. "They now have a clear view of all operations, and it puts me in the driver's seat to be able to provide specific alerts to each port remotely, quickly and more efficiently than sending a tech to troubleshoot."
Teleste Corporation and a renowned international rail vehicle construction company Stadler have agreed on deliveries of Teleste’s passenger information and CCTV systems to Stadler’s new FLIRT trains for Norwegian State Railways. The deliveries will take place in 2019–2021, continuing the cooperation between Teleste and Stadler that was started in 2009.
The deployment will include on-board passenger information (PIS) and CCTV systems for more than 20 trains complemented with video security cameras and video recorders, intercommunication and public address systems as well as TFT and LED information displays. The flexible and future-proof system works seamlessly together with the existing PIS systems, delivered during earlier stages of the cooperation, and includes upgrades such as enhanced cybersecurity.
Rolling stock manufacturers
We have been able to fulfill Stadler’s requirements for high-quality delivery of passenger information"
“Today, transport operators and rolling stock manufacturers need to stay at the cutting edge of on-board technologies to deliver an excellent travel experience for the growing number of public transport users who wish to be informed about their travel at every step of the journey."
"We are pleased that we have been able to fulfill Stadler’s requirements for high-quality delivery of passenger information on their trains to Norway, and we are looking forward to continuing our cooperation,” stated Jörn Grasse, Vice President of Rail Information Solutions at Teleste.
Effective transport system
Teleste’s on-board passenger information system is based on modular software architecture, which makes it possible to use the system technology for different kinds of applications. The system provides a flexible option for the delivery of passenger information for rolling stock manufacturers and operators who wish to build and run an effective transport system that can carry large volumes of passengers smoothly and safely every day.
Customers can visit the company’s website for more information about the solution and its benefits.
In St. Petersburg, a set of Dahua thermal body temperature monitoring system was installed at the entrance of JSC Concern Okeanpribor to help the company with preliminary body temperature screening of employees and visitors during the pandemic. The equipment can quickly and accurately detect people with elevated body temperatures, one of the key symptoms of COVID-19, providing the organization with an additional layer of protection for its employees.
JSC Concern Okeanpribor is a company engaged in the production of sonar systems and shipbuilding stations to meet the needs of the country’s naval force and national economy. It is also listed as one of the ‘backbone enterprises’ of the Russian Federation.
Temperature monitoring solution
To provide its employees with safe working conditions under COVID-19, JSC Concern Okeanpribor hopes to use the Dahua thermal body temperature monitoring system to assist their daily temperature screening work and minimize the chances of infection with the strictest measures possible, while not ignoring privacy and respect.
The Dahua thermal body temperature monitoring solution was installed at the checkpoint of JSC Concern Okeanpribor, consisting of:
Thermal body temperature monitoring camera DH-TPC-BF5421P-T
Calibration equipment (blackbody)
Accessories (2 tripods, 2 adapters for a tripod)
The Dahua thermal body temperature monitoring system is a part of the VideoNet security systems at the facility
The implementation of this solution was completed by Skyros Corporation, a gold partner of Dahua Technology in the Northwest Federal District, together with a well-known Russian software developer for security systems – VideoNet. The Dahua thermal body temperature monitoring system is a part of the VideoNet security systems at the facility.
The Dahua Thermal Body Temperature Monitoring Solution provides a non-invasive way to help organizations check body temperatures of a group of people at the same time, which is faster than hand-held scanners and can be done at a safer distance. That’s why this solution is accepted and adopted by JSC Concern Okeanpribor and other security experts during the pandemic and recovery. Moreover, the most important factor why it was chosen is its accuracy.
Reducing false alarms
With a blackbody, the solution uses a hybrid thermal imaging camera to achieve highly accurate temperature monitoring of ± 0.3 ℃, which is essential in detecting people with abnormal temperatures. At the same time, the camera’s built-in face detection enabled by advanced AI technology can improve the overall measurement accuracy with better positioning of the measuring point on the face.
This approach significantly reduces false alarms caused by a variety of hot objects that may accidentally or intentionally appear in the monitored zone. It can also detect the temperatures of people wearing medical masks.
This solution also includes a special version of Dahua DSS software, which can handle temperature alarms
This solution also includes a special version of Dahua DSS software, which can handle temperature alarms. If the set temperature threshold is exceeded, this could be an indication that the system has detected a person with fever and should be checked by a medical professional. In this case, the camera will send an alarm message to this software, allowing the operator to take appropriate measures.
Conduct preliminary detection
Featuring long distance, non-contact and fast detection speed, the Dahua Thermal Body Temperature Monitoring Solution allows JSC Concern Okeanpribor to conduct preliminary detection of people entering their building who are exhibiting fever, thus effectively limiting cross-infection caused by physical contact, saving manpower and material resources, enabling efficient passage of people at the entrance, as well as enhancing protection for the operation of the whole company.
The solution has been widely used in China and many parts of the world during the pandemic and corresponding recovery. Its effectiveness for mass scanning especially in public places such as shopping centers, office buildings, airports, train stations, subway, as well as in hospitals and educational institutions has been proven by its applications all over the world. In one transportation hub for instance, the system detected more than 100 passengers with abnormal temperature. After conducting medical tests, 60 of them were confirmed positive for COVID-19.
Protecting the oil and gas market is key to a thriving economy. The list of security challenges for oil and gas requires the best technology solutions our industry has to offer, from physical barriers to video systems to cybersecurity. We asked this week’s Expert Panel Roundtable: What are the security challenges of the oil and gas market?
We are all more aware than ever of the need for cybersecurity. The Internet of Things is a scary place when you think about all the potential for various cyber-attacks that can disrupt system operation and negatively impact a customer’s business. Because most physical security systems today are IP-based, the two formerly separate disciplines are more intertwined than ever. We asked this week’s Expert Panel Roundtable: How can cybersecurity challenges impact the physical security of a company (and vice versa)?
Cloud systems are among the fastest-growing segments of the physical security industry. The fortunes of integrators can improve when they embrace a recurring monthly revenue (RMR) model, and cloud systems are expanding the services and features manufacturers can provide, from remote diagnostics to simplified system design. But for all the success of cloud systems, there remains confusion in the market about the exact definition of “cloud.” Or does there? We asked this week’s Expert Panel Roundtable: What is “the cloud?” Is there agreement in the market about what the term means?