He noted that the biggest difference between securing a physical location and an online space is scale: “When you get to the network — following this analogy — imagine that anybody in the world can magically appear at your door and check it. That’s what happens in a network. Anyone in the world can see an internet-connected device, and they can check it for vulnerabilities.”
Having underscored the importance of shoring up network protections, Bendis then shared with the crowd how to keep these systems secure.
1. Audit the Cybersecurity Protections of the Manufacturer
Every security company should have a cybersecurity program, so Bendis advised listeners to first make sure their security technology company has one.
When investing in new solutions, businesses should check for several things: cyber protections in the security company’s supply chain to ensure all the individual parts are secure; standard protections, such as an inability to use default passwords; programs to identify and update against known vulnerabilities; and good communication.
2. Hire Qualified Teams to Install and Configure Security Systems
People who install physical security systems are doing work beyond that of an electrician. They’re configuring devices, setting up networks and coordinating with IT teams, Bendis said. Tech is also being delivered in “no-trust mode,” he added, a different configuration than the old days of plug-and-play.
“The reason plug-and-play would work is because the configuration would be so open that it would accommodate all the different scenarios to connect that device. So, even if you’re using the device to communicate with your network one way, other paths were still open for hackers to get in,” he said.
With zero trust, the device won’t communicate with anything until it’s programmed the right way by the organization using it.
3. Physically Secure Devices on the Building's Exterior
Make sure surveillance cameras, intercom systems and other physical security technologies can’t be removed from the exterior of a building using a single screwdriver, Bendis said.
This not only would allow attackers to disable security systems but also would give them access to the network cables within the hardware.
Instead, either install tamper switches that can notify security teams, physically secure connections or put external devices on fiber so criminals can’t use them to access the network.
4. Manage Security Tech Through Careful Tracking and Communication
Business and security leaders need to keep an inventory of all devices. “You need every make, model, camera, firmware version, software version, the Windows version of your servers — a listing of every device that’s on the network. That will go a long way if a vulnerability is identified,” Bendis said.
There should also be communication with the manufacturer so that, if it identifies a vulnerability, it can contact any business using its products. If vulnerabilities are found, updates and patches close those gaps. Businesses should have a process for installing updates quickly and effectively.
5. Coordinate with the Corporate Tech Department
Because most devices are on a corporate network, there needs to be communication with the IT department, Bendis advised. Follow the IT department’s security requirements, which may include:
- Digitally segregating the security system on its own virtual LAN
- MAC filtering via devices’ IP addresses
- Routing configurations that restrict cameras’ access to servers
- System monitoring