5 Steps to Better Cyber Risk Management

This article was originally written by Paul Konikowski, and published on Commercial Integrator on January 15, 2019

Does your company accept credit card payments?  Does your human resource department keep records of the employees’ personal data? What about third-party vendors that handle payroll, or even the folks who take the garbage out? Nearly everyone has a camera on their smart phone these days.

So, before you can protect the data of your clients and design secure audiovisual systems, you should look first at your own company’s cyber risk management framework.

There is no single cyber risk management approach that will stop all cyber crime; it varies per industry. But generally speaking, there are five elements that are common in successful cyber risk management:

  1. Start with a proper cybersecurity framework, which provide a structure for ensuring your “CIA”:
    1. Confidentiality of sensitive data – restricting access to who can view the data
    2. Integrity of the systems – controlling who can write or change or delete data
    3. Availability – ensuring that systems are up and running when they are needed

There are a number of cybersecurity frameworks readily available; the most relevant to audiovisual systems contractors are the ISO/IEC Security Control Standards, the FCC Cyber Security Planning Guide, and the NIST (National Institute of Standards and Technology) Cybersecurity Framework, which has been widely adopted across many industries.

  1. Implement a balanced distribution of responsibility. Many users think that cybersecurity is the responsibility of the IT department, but it is really everyone’s responsibility. Anyone with email access can be susceptible to a “phishing” scam where they inadvertently click a malicious link or attachment. Executives must understand the risks and their responsibilities.
  2. Take a holistic approach to security. Consider not only technical factors, but human and physical factors. It is important that companies equip their employees with the right tools to recognize phishing email and malware, or even bad actors within their organization. Develop a company culture of cyber-awareness, and provide adequate training to all users. Reward users for raising security concerns. Minimize physical access to equipment using access controls.
  3. Develop a thorough and ongoing risk assessment process. The first step is to identify and categorize your assets, including digital assets and intellectual property (IP). Next, identify the threats to your organization, which could be external, like a hacker locking up your systems using ransom ware, or someone stealing credit card or personal informational, or a hacktivist who doesn’t agree with your company’s values. Maybe a competitor wants to shut you down for a week and ruin your reputation? But there could also be internal threats: users who might accidentally delete files, or malicious employees who try to steal your trade secrets. Assume you just hired the next Edward Snowden. Consider a third party who can test and assess your systems and vulnerabilities. Like humans, most companies cannot recognize their own faults.
  4. Everyone in the organization needs to know what to do when a threat has been detected. We talked about Incident Response Plans in greater detail last month.

By developing and maintaining a cyber risk management approach for technicians, you can minimize the cyber threats and resulting impacts to your organization. You will also be prepared when your clients ask you for a copy of your cybersecurity policy or risk mitigation plan (and they will!)

If you enjoyed this article, you might like these related posts:

The Best Data Breach Incident Response Plans Require These Steps

Proofpoint ($PFPT) Releases Solution To Detect and Respond To Compromised Microsoft Office 365 Accounts

Advertisements

The Best Data Breach Incident Response Plans Require These Steps

This article was originally written by Paul Konikowski, and published on Commercial Integrator on December 10, 2018 and  My Tech Decisions on December 20, 2018.

Cybercrime is on the rise. Data breaches and cyberattacks have become more diverse and numerous, and their impact more damaging and disruptive. It feels like every other day, there is news of a large corporation getting hacked and/or losing some of your personal data. It is not a matter of “if” you will be impacted, but “when”. This is why it is so important for corporations and organizations to have a Cybersecurity Policy in place, along with an Incident Response Plan (IRP), and the right team of people who know how to react appropriately, often called the Incident Response Team (IRT).

Once a threat is detected, the IRP acts as a roadmap, allowing the IRT to take a systematic approach to solving the problem, documenting everything along the way, and minimizing human error. This reduces losses and downtime. The other big advantage is that, following an incident, evidence that the cybersecurity policy, including IRP and IRT, were in place will be useful should the attack lead to legal proceedings. Ignorance is no excuse when it comes to cybersecurity. Negligence can result in costly fines, lawsuits, and/or time in prison, all of which can negatively impact a company’s reputation.

There are many variations, but the best Incident Response Plans typically include the following steps:

  1. Analysis – Is it a false positive? The IRT should review the logs for vulnerability tests or other abnormalities. What systems have been attacked? What stage of the attack? What is the origin?
  2. Containment – Provides time to determine the next steps, while limiting the spread, and the impact. Your team should isolate the system if possible and make a backup for forensic investigation.
  3. Communication – Alert everyone on the Incident Response Team including IT, HR, Legal, Operations and Management representatives. Should law enforcement/FBI be contacted? Experts like FireEye? Third party vendors? Industry peers? How soon should you alert the public? The laws vary by state in the US. In the EU, the GDPR says within 72 hours. Your IRP should include a detailed cyber crisis communication plan, detailing who should be contacted in case of an attack, what message that will be conveyed to them, and who has the authority to communicate on behalf of the organization.
  4. Eradication – Scan all systems for malware. Isolate and disable all accounts and components that have been compromised. Remove access to systems by suspect employee logins. Change passwords, apply patches, and reconfigure firewalls.
  5. Recovery – This can take a while, so you need to prioritize what systems are most critical to resume functionality
  6. Post-event analysis – What was the dwell time? (time from breach to recovery) Are changes to policies, procedures, or equipment in order? How effective was the incident response plan? Then, test the revised IRP using simulated attack.

In conjunction with having an incident response plan, organizations need to provide adequate cyber awareness training to all employees, not only explicitly telling everyone what to do, but what not to do, in the event of a data breach or cyber-attack. Setting guidelines for communicating with outside parties regarding incidents is key. You don’t want someone in your organization tweeting “WE ARE GETTING HACKED!!!”, followed by a dozen hashtags, do you?

 

Know Your Audience, #AVtweeps

Photo of the Brooklyn Bridge by Paul Konikowski

I shared this joke earlier today on Twitter, during an #AVinTheAM online chat:

“An Architect, an IT Director, and an AV Professional walk into a bar…

[The AV Professional could be a consultant, integrator, or manufacturer]

The Architect orders a Vodka Sour, the IT Director orders a Rum and Coke,

The AV Professional says they need to standardize their user experiences,

orders three Long Island Ice Teas, and then asks, ‘who’s paying for these?'”

I hope I don’t offend any architects or IT people with my humor, the joke is really on the AV professional. He or she may think they are making both the Architect and the IT Director happy, by incorporating both their drink ideas into the triple order of Long Islands. There are many roads this joke could lead us, but today, we will talk about knowing your audience when meeting about an AV project.

In practice, meetings with architecture firms, IT departments, music ministry leaders, fitness instructors, technical directors, general contractors, or higher education universities, have some similarities, but each group has their own priorities and lingo.

Dropping lofty buzzwords like “user experience” and “agile workspaces” may not be as effective as using the words that they use; ask about their typical meetings, or classes, rehearsals, services. You are basically asking them about the current user experience, but in their words.  Ask them what meeting spaces are the most popular, and why.

Discuss any trends you are seeing in flexible work or education environments. Ask them if they have any divide/combine spaces, but instead, use the term “airwalls”. How often do these rooms get combined or separated? How do the systems work when combined or separated? And how well do they work for the typical room usage?

If you discussing a church, house of worship, or auditorium, say “sound board” when asking them about the FOH (Front of House) mixing position. See what I did there?

If a client or work contact uses an acronym you don’t recognize, don’t be afraid to ask them what it means, to them. Don’t assume they know your acronyms either.  You might say OMP meaning Operations & Maintenance Plan, and they may instead hear:

Office Managing Partner

Occupational Maternity Pay

Open Market Purchase

or a dozen other meanings for the acronym OMP.

And if you audience includes Millennials, they may think, for a second, that you meant

One Moment Please

because that is how OMP is used in SMS messaging and other text chat platforms! So don’t be afraid to spell out your acronyms and ask them about theirs. Some companies have so many acronyms that they develop a glossary page for them. Ask for a copy!

The other thing to ask about early on is timeline.  Architects and consultants will use acronyms like SD, DD, and CD to describe the Schematic Design, Design Development, and Construction Document phases of their drawing sets. Owners and end-users are more concerned with the commissioning and occupancy. Each has its own deadline.

What if you are going to a meeting with an architect, owner’s rep, IT department head, furniture vendor, plus various engineers from other trades?  Who are the others in the room? How do you know your audience if you have never met any of them?

Do your homework. Start with the meeting planner, and then the other people invited, looking up each one on LinkedIn or Google.  Look at their current job descriptions, but also at their work history, where they went to school; what did they study?  Read their most recent posts, and ask yourself, what drives them? Whenever possible, ask your coworkers if they have ever worked with the other people invited to the meeting.

When the meeting starts, try to quietly jot down the names of any “special guests” you may not have anticipated, and then look them up on LinkedIn or Google afterwards. Ask for business cards for anyone who has one, especially any electrical engineers.  You need to keep your coordination within proper channels, by communicating through the client, the architect or project manager, but you can address them by name in your correspondence, “Following up on the question raised by XYZ…”

Circling back to the joke I made about the architect, IT director, and the AV professional: all are highly technical people, but with different strengths. The IT Director may be able to talk at length about bandwidth, IP addresses, firewalls, and cyber-security, while the architect may be more concerned with determining the electrical and backing needs, and the BTU load of the AV racks, so they can coordinate with their HVAC and MEP engineers.  Furniture vendors need to know what holes to provide in the tables for microphones and table boxes.  They all love dimensions!  Coordinate using AutoCAD or Revit, or markup PDFs using Bluebeam or similar.

By determining your audience in advance (or during a meeting, or sometimes after) you can tailor your communique and deliverable to each, making each one happy. You might also find yourself being a bridge between different people involved in a project. By speaking their own dialects, you can connect them like the boroughs of Manhattan.

And maybe Long Island :)

Photo of the Brooklyn Bridge by Paul Konikowski
Photo of the Brooklyn Bridge by Paul Konikowski

If you enjoyed this post, you may also enjoy these other articles on PKaudiovisual.com:

Technology and Green Buildings

Your Conference Rooms Are So Trendy!

The Anatomy of an AV Integration Project

Resume of Paul Konikowski, CTS-D