Earlier this year, Hiscox published its "Cyber Readiness Report 2021." It was based on a survey of more than 6,000 companies based in the US, the UK, Spain, the Netherlands, Germany, France, Belgium, and Ireland. One of the most eye-catching findings was that spending per business on cybersecurity has more than doubled in the last two years.
However, this increased spending has been a rational response to the growing threat level. Based on Hiscox's study, more firms were targeted by criminals in 2020 than in 2019, and 28% of businesses that suffered attacks were targeted on more than five occasions last year. Almost half of respondents said that they felt their organization had become more vulnerable to cyberattacks since the start of the pandemic, rising to 59% among businesses with more than 250 employees. Of those targeted, about one in six businesses said a cybersecurity event threatened the viability of their business. The survey also found that a payment had been demanded from around one in six of those hit by cyber criminals, with more than half paid.
Hiscox went on to assess firms’ maturity across six different areas of capability which comprise the elements required to install, run, manage, and govern an effective security system. One of those six areas was, "Identity and access management," and, across all the companies surveyed, it came second bottom of the list.
Why Is Access Control an Important Part of a Cybersecurity Program?
The truth is that access control has not always been front of mind when it comes to cybersecurity, and many companies are still playing "catch up" in this area, but this is changing fast. More and more companies now appreciate that if access control systems are compromised, the daily operations of the building – and, consequently, its residents – could be at risk.
These companies are prioritizing measures to address the most urgent threats – five in particular:
- Man-in-the-middle attacks (MitM) – an attack where a hacker connects to a network and eavesdrops on communication between terminal devices. In this way, door opening codes and device login passwords can be hacked.
- Password/dictionary attacks – an attack where a hacker tries to guess the password to enter the device (normally using a password generator and trying different options).
- Unauthorized connection to a LAN network – the intercom or reader can be installed on the outside of the house and there is a potential risk that someone will break the intercom and use the UTP cable to connect to the LAN network.
- Unauthorized views of the intercom camera – it often happens that IP cameras are installed with a default password, and basically anyone can connect to it and watch what is happening.
- Malware attacks against mobile devices – mobile credential-based access control systems are increasingly popular, primarily because of the convenience they offer. However, they have also been a target for hackers, who have tried to attack smartphones with credential-theft, surveillance and malicious advertising.
These threats are not restricted to the cyber sphere. Compromising access control can also pose a physical threat if criminals are able to sneak into a building. Even when physical security is not breached, cyberattacks can cost millions in regulatory penalties, disrupt core business functions, and threaten corporate reputations.
Defending Access Control Systems From Cyberattacks: What Are the Basic Rules of Engagement?
It is clear that threat levels are increasing, and there are some basic "good practice" measures that companies should take to protect every aspect of their IT systems. For example, using strong, complex passwords, conducting regular security audits of the IT infrastructure to identify and eliminate possible vulnerabilities, and training the security team responsible for protecting the building's IT infrastructure on the most common threats and how to address them.
On top of that, focusing on access control specifically, there are some additional rules that companies can follow which can make a huge difference:
- Pursue compliance with a proven security control framework. Two of the most respected are ISO 27001 and SOC 2. These guide companies in creating secure systems and processes.
- Make sure the access control system includes the use of encryption and multistep authentication. This protects communication between devices, controllers and mobile devices, and ensures no back doors for "maintenance purposes."
- Create an independent network, dedicated exclusively to devices that handle sensitive information and ensure that communication between them is encrypted. Place these devices to a separated virtual LAN (VLAN) and ensure that manufacturers of installed devices or software use implementation protocols such as HTTPS, TLS, SIPS, or SRTP by default.
- Create different accounts with different privileges. Doing this ensures that users will only be able to make changes related to their specific tasks, while the administrator will be given greater privileges to manage the building and all linked accounts.
- Update the software regularly. Installing the latest firmware version on devices is important to mitigate cybersecurity risks. Each new release fixes bugs found on the software by implementing the latest security patches.
- Train your employees to avoid social engineering threats. The human element is the most vulnerable part of any system, and attackers can trick people into making security mistakes or giving away sensitive information. It is therefore necessary to train employees regularly and invest in their awareness of cybersecurity.
These are not complicated rules, and they needn’t be expensive to follow either. Indeed, as the war against cyberattacks and data breaches intensifies, which company can afford to ignore them?
More information about intelligent access control and expanding cybersecurity needs can be found in 2N’s white paper, "The Evolution of Access Control."
—Tomáš Vystavěl is Chief Product Officer at 2N TELEKOMUNIKACE
This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more.