Who is responsible for preventing a cybersecurity breach?
The answer to this question has evolved over the years. Once thought of as purely the responsibility of the IT department, facilities teams are increasingly playing a role in preventing cybersecurity breaches.
“People think of cybersecurity as people in a foreign country trying to hack in, but there are a lot of threats that deal with people physically getting into equipment,” said Jeff Krull, partner at Baker Tilly and leader of the company’s cybersecurity services. “Facilities managers have a big impact on the physical security of a building.” In many buildings, it’s not difficult for someone to physically approach a computer, insert a thumb drive carrying malware and introduce vulnerabilities into the system, Krull explained.
“The primary role of both IT and facilities departments in cybersecurity is prevention,” added Scott Hellberg, director, information security governance, risk and compliance for Sentry Insurance. “IT should be focused on the systems, including everything from firewalls and access points to encryption and activity tracking. Facilities teams should focus on physical risks. For example, console stations should only be accessible by those who need to use them. Controls should not be out in the open, but rather kept behind lock and key to prevent tampering.”
Smart building systems can also open the door to a cyberattack, said David Stehlin, CEO of the Telecommunications Industry Association. Many IoT devices haven’t been properly scrutinized from a security standpoint and can present bad actors with easy opportunities to gain access to your network.
“These IoT devices are driven by software. They might have been cheaply made IoT devices that don’t have good capabilities, or it could be an IoT device that has outdated software,” Stehlin said. “The bad guys find weak links. They look for system interfaces and outdated IT or OT [operational technology]. They look for no policy or poor policy implementation, by which I mean patching plans or updating software, not properly managing remote workers, etc.”
The number of cyber attacks reached an all-time high in 2021, according to the 2022 Cyber Threat Report by SonicWall. Researchers for Mandiant also found that of the 3,000 data leaks originating from ransomware attacks, more than 1,300 occurred on OT infrastructure, underscoring the importance of taking the threat seriously.
How Breaches Are Discovered
Breaches often go undiscovered until after the perpetrator has gained access and started doing damage, Krull said. That’s because many bad actors are strategic; they may lie in wait for a while as part of a discovery process before they strike.
“A lot of times, sadly, most breaches are not self-discovered. It’s discovered because the organization gets a phone call for ransom, or a phone call from the bank saying they lost a bunch of money,” Krull said.
It takes an average of 280 days to fix a vulnerability in production once a breach is discovered, according to IBM’s Cost of a Data Breach Report 2020. That’s a big window in which your system could be exploited.
“Some of the breaches might not be criminal, but many are,” Stehlin said. “In IBM’s global analysis, it’s over a $4 million cost per breach, and in the U.S. it’s over $9 million. So, the costs of breaches in the U.S. are greater, and the numbers continue to grow. It’s not getting better, it’s getting worse.”
How to Prepare Ahead of Time
The key to surviving a breach is to prepare ahead of time. Start by determining what was impacted “to contain the incident as quickly as possible,” advised Hellberg. Next, start patching your systems and closing down any vulnerabilities you can find, Krull said. Ensure you have good backup and recovery practices.
Next, determine whether your organization knows how to respond to an incident. Every organization needs a way to respond to cyber incidents, because they most likely are going to happen at some point. The breach response team should have representatives from any department that will be involved in the recovery process, from legal to PR and everyone in between. This team should also train together periodically, Krull said.
“Get all those voices on the phone and go through scenarios. What would we do if this happened or that happened?” Krull explained. “…You want to have a team where when something bad happens, it’s not a catastrophic ‘What are we going to do now?’ It’s ‘We have a playbook; we know how to handle this. Maybe there’s going to be some pain involved but we know the steps we need to take.”
Knowing those steps starts with developing a standard operating procedure for responding to breaches, Stehlin added. Come up with a game plan ahead of any breach occurring to save yourself time, money and pain later.
One way to develop your standard operating procedure and get your whole team on the same page is to go through a building certification like the SPIRE Smart Building Program, the world’s first comprehensive assessment and rating program for smart buildings. Facilities can earn a UL Verified SPIRE Smart Building Rating based on their performance in six categories of smart building performance, including cybersecurity.
“It forces all those groups to get around the table to talk to each other and build those relationships, but also to build those standard operating procedures,” Stehlin said. “Then you know who’s responsible for each of these things along the way, both preventive and then to repair [after a breach]. It gets the facilities, IT organization and executives all thinking with the same objective and intent the first time.”
Despite your best efforts, you may still suffer a breach. If that happens, start by closing down whichever vulnerability allowed the bad actor to gain access in the first place. “Otherwise, they or somebody else are going to do the same thing,” Krull said. Next, work your disaster recovery plan and rely on your backups to recover whatever data you can.
“In an ideal world, you’ve done that upfront,” Krull said. “If you haven’t done that upfront, recovery can take weeks or months because you’re finding old backups, finding where other data was and starting to restructure the environment, so recovery is much more difficult.”
Next, look for other gaps that haven’t been breached, but could be in the future, Stehlin said. “How often are you updating your IoT devices? What’s the last software patch you put on there? Are you comfortable with the manufacturer of these devices, or did you just buy the cheapest thing to manage your cameras or HVAC system? All of those things come into play.”
Don’t rest on your laurels when your breach recovery is complete, Stehlin cautioned. Stay vigilant so you and your team will be prepared for the next time—because there will be a next time.
“Maybe recovery from that event is complete, but you’re constantly raising the bar and having to continually upgrade the software on all your IoT devices and IT devices,” Stehlin said. “I don’t think you ever know when it’s complete. Doing these things upfront is really critical.”