Brivo asked facility managers across the US a variety of questions about how they secure their facilities, how confident they are in their physical security systems, and what their maintenance plans might be. We learned 40% of facility managers still use lock and key to protect their facilities. We addressed the challenges you face if you are using standard key card based access control systems. Now, we need to talk about firmware updates.
I’m the type of person that gets up in the morning and reads the news. One trend that has been consistent is the increasing frequency of news around the cyber security issue. Phishing campaigns, stolen passwords, ransomware, DDoS attacks, etc., etc., etc. Even my dear ol’mum has started to build a cyber threat vocabulary and can tell what a phishing email or a spoofed pop-up that contains a malware download link looks like.
Why do I mention this? Well, four-fifths of survey respondents do NOT update their on-premise access control system firmware regularly. This needs to be done at least quarterly, or as often as your manufacturer provides updates. Otherwise you are vulnerable to simple attacks. Best is of course to update it as soon as your manufacturer releases an update or a patch.
This is scary. Only about 1 in 5 of respondent update their firmware quarterly. This may leave your security system weak and easy to manipulate. Cyber threat actors can hack into these systems easily, thus leaving you open to an attack. As I mentioned in my last blog, a high schooler with a laptop can figure out how to hack a standard key card. Hackers get into your system via phishing emails or by exploiting known vulnerabilities. Most of the time these known vulnerabilities have been patched by software updates. If you do not update your software or firmware, you are an easy target for even the most unsophisticated hackers.
I wrote about having previously worked for a cybersecurity company. Our IT manager, Jarvis (we called him JarJar), was a great guy who has a fantastic sense of humor. It was his job to enforce our security policies, one of which was to always lock your desktop when you weren’t in front of your computer. He had this habit of walking around the office looking for folks who did not close their computer or turn on the screen saver. So whenever JarJar found someone not following the policy he would play a harmless prank. He would take screenshot of that person’s desktop and set the picture to full screen mode. It’s truly is hilarious to watch one of your colleagues click around their desktop confused out of their mind that none of the windows are opening and nothing is working. Comedians on Youtube do it a bit differently, which also makes me chuckle.
Keeping your data safe is no joke. It is really easy for people who have the drive to steal your data to do so. What if you manage a multi-tenant office property and a hacker exploits a weakness in your physical access control product. Such as accessing an insecure API (Application Programming Interface) and remotely unlocking the door? All a hacker really needs is to get onto your guests WiFi and tap into an open port. Now he has access to your facility. He can waltz on in and do as he pleases. Let’s come back full circle, even at a cybersecurity company employees forget to follow the rules. What if the threat actor that got into your facility walked around your office and saw a laptop sitting with the screen open. It doesn’t take much skill to rip the data from the laptop. It only takes a simple USB stick insertion to deploy malware on that laptop to send all communications outside of the firewall to a server to collect the data. You have to be careful. If you’re like me, and you’re worried about cyber security, enforcing cybersecurity policies starts with enforcing your physical access control.
If you upgrade to the right solution, you don’t even have to worry about firmware updates. Since Brivo OnAir is a cloud-based service, the product is always up to date and you don’t have to worry about the bad guys taking advantage of unpatched vulnerabilities. If you would like to learn more about Brivo OnAir’s security, please read our Brivo OnAir® Information Security: A Detailed Review Of Assured Control Report.
Brivo has some ideas and recommendations on how to better secure your facilities. Please click here to read the full Facility Manager Executive Report that showcases all of the security gaps and best practices to solve those gaps.