Who’s on first? What’s on second? I don’t know who’s on third?
That’s an old comedic bit from the classic comedy duo Abbott and Costello. Anyone under age 50 probably isn’t familiar with them. But if you are, that classic riff is meant to convey how a lack of communication can doom a team. A similar lack of communication can leave organizations vulnerable to a breach.
Recently, a friend of mine who owns a commercial office complex outside of Indianapolis experienced a hack of the office’s security cameras that panned the 1000-spot parking lot. There was no apparent damage done, although hacker motives are often unclear until something ugly rears its head.
My friend explained to me that he thought the MSP he hired to take care of campus IT was also in charge of the parking lot cameras. Meanwhile, the MSP thought the maintenance department, which has a separate chain of command and IT structure, was managing of the cameras. And the maintenance department thought it was the responsibility of the third-party vendor who oversaw the parking lot to manage and maintain the cameras. Each thought it was another vendor’s duty to take care of the cameras. In other words, everyone assumed someone else was taking care of cybersecurity for the cameras.
“In this case, you’re just talking about one corporate campus, but can you imagine how complex and multilayered an urban skyscraper or a medical campus can be?” asks Larry Turner, an independent IT consultant in Hamilton, Ontario.
Assigning responsibility is to prevent a data breach
ITP.net sums up the conundrum best:
“Whether it’s because it’s easier to not think about the issues or to believe that it’s someone else’s responsibility, people tend to want to think that because an item looks secure and is bought from a reputable source, that they do not need to worry about the security of their IoT devices.”
The same article points out that 47 percent of the most vulnerable devices are security cameras installed on company networks, followed by smart hubs (15 percent), and network-attached storage devices (12 percent).
Turner tells us that those three areas can fall within the purview of different segments of an IT organization residing within the same building. Hackers are often aware of this, which can lead to “open loopholes” they can easily exploit to breach a network.
“It can be something as simple as an IoT coffee machine. If an outside vendor, a coffee company, services the machine, they may or may not be in charge of its security, especially if it is using the on-site Wi-Fi,” Turner says, and advises the following steps to ensure cybersecurity and lessen MSP liability.
Spell it out
To begin with, MSPs need to spell out what they are in charge of and what they aren’t in their service contracts. MSPs that once simply monitored networks are now often in charge of user training, cybersecurity, and hardware disposal. Because MSPs are tasked with an increasing amount of work, it has become all too easy for bottom lines to become eroded by scope creep, and for confusion over who is in charge of what to perpetuate, which isn’t desirable for anyone.
“I’ve overheard office conversations where anything remotely IT-related comes up, and the person just automatically assumes `oh, the MSP will take care of it,'” Turner recalls. “Well, no, not necessarily. If you’re supposed to manage the client’s vending machine security, then make sure that is spelled out and price it in accordingly.”
Segmentation vs. centralization
There are strong arguments and pros and cons to each. We are all accustomed to seeing separate networks for guests, employees and specific subsets of employees. Segmentation helps to decrease the vulnerability and severity of a breach. Still, it can also lead to gaps in communication and IT solutions not being overseen by any entity.
Having an HVAC system’s cybersecurity managed by professionals who understand it best may make sense. But in some cases, it may not. Ultimately, someone needs to make that determination and report it to a reporting supervisor, who acts as a hub monitoring for a breach.
Stakeholder communication
All campus IT stakeholders should be in regular contact. If only part of a campus’s IT is managed by an outside MSP, another by a vendor, and another in-house, all parties need to communicate regularly by text, email, or a shared document.
“It doesn’t have to be anything fancy, you don’t have to all get together for lunch, but you need to know who is in charge of what because if you don’t know, believe me, the hackers will,” Turner advises.
Audit all items to detect a breach
As an MSP, encourage your client to undertake an annual audit of all devices on campus and assign cybersecurity duties accordingly. The smart lighting system that works off a Wi-Fi connection may not be monitored by the electric utility, it may require in-house monitoring or something else, but the chain-of-command has to be established.
“You can’t assume various devices or IT infrastructure is being managed properly by someone else. Because someone else probably assumes you are the someone else,” Turner says.
Photo: ilikeyellow / Shutterstock