But perhaps the biggest pitfall when it comes to protecting against cyberattacks is failing to account for the behavior of end-users, who are the single biggest source of security compromises, Tyson says.
“You may have heard the term ‘phishing’ or ‘spear phishing,’ where you attack very specific people—get them to click on a link in an email; get them to go to a website. This is really the No. 1 method to get into organizations,” he points out.
Additionally, failure to implement proper identity management within an organization is a huge error. Granting everyone in the organization access to the network with a single user ID and pass- word is a recipe for disaster, especially when an employee is fired or resigns on bad terms and the login information isn’t changed. “I worked with an organization that literally had not changed the password on its gas control system in 20 years,” Tyson recalls.
Similarly, Surfaro suggests allowing employees access to the network with mobile devices that are loaded down with apps is a blunder, as well. “You’re allowing people to log into the BAS system who essentially could have keyloggers installed in their mobile apps, so their keystrokes are being sent to other locations periodically—that’s one pitfall,” he says.
Fortunately, Tyson says educating end-users about the dangers of downloading unvetted apps and clicking on links from people they don’t know is the easiest and most cost-effective way to deal with cybersecurity breaches on the front end.
“There are tremendous amounts of things you can do to protect [your building’s assets] upfront, and you can really reduce the amount of risk by good hygiene of your environment, good security practices and then educating your users at the end of the day not to click on things. Security awareness is prob- ably the No. 1 thing you can do,” he concludes.
What to Do If You’ve Been Hacked
The time to decide what to do in tool for evacuating people from a the event of a cyberattack isn’t after it’s already taken place. Establishing a plan of action in advance is absolutely essential to protecting your organization and its assets.
“What you want to do is prepare an incident response plan when you have a clear head, and you want to identify various scenarios,” says Jim Kelton, managing principal at Altius Information Technologies Inc., a security audit company in Costa Mesa, Calif. “So if there is an incident you quickly go back to your plan, pull out this scenario and say, ‘These are the steps we’re going to follow. These are the people we’re going to communicate with: the authorities, executive management, the press, our suppliers, our staff and our customers.’ It really needs to be thought out very well in advance, not when you’re having an incident and then saying, ‘What do we do now?’”
However, assuming a cyberattack has already taken place, building owners and facility managers should focus on life safety, protecting property and preserving data, according to Steve Surfaro, industry liaison for Phoenix-based security solutions provider Axis Communications and chairman of the Security Applied Sciences Council for ASIS International, Alexandria, Va.
When mobile devices are near a wireless access point, a user’s location can be identified easily without intrusion, which Surfaro says is an excellent tool for evacuating people from a building. “If the Pulse Nightclub [in Orlando where a mass shooting took place in 2016] used this simple software, more lives would have been saved; they would have been able to find out where people were,” he says.
Secondly, protecting expensive mechanical equipment, such as power distribution, HVAC, and data servers from fire or explosives is important and relatively cost-effective. For example, visible-light sensors attached to video surveillance cameras now can detect radiation while “sniffers” installed in the HVAC can identify harmful chemicals or explosives within the system.
Equally important is to protect data. “Everybody knows what data recovery means, but not everybody understands how it works,” Surfaro says. The most effective, yet often overlooked method of preserving data—including operating systems, license keys and intellectual property—is to have at least two off-site copies or mirrors in two different geographic locations. “I would say not too many people do that. It’s amazing,” Surfaro says.
Lastly, ensuring your organization has the expertise to deal with cyberattacks is key to a solid defense, according to Dave Tyson, CEO of security consultancy firm CISO Insights, Racine, Wis.: “If you just have some well-meaning IT folks even with a healthy sense of paranoia, that’s probably not what’s going to get you by. This requires sophisticated expertise.”