Brendan McGarrity, Head of Risk & Design at Evolution, says that while most think of the threat as coming from the integrity of the IT network, few perhaps consider the role that security technology installed on that network can pose in increasing, rather than reducing, the potential damage that may result. “A humble CCTV camera, rather than being the friend of business could, in fact, be its Achilles Heel,” he says.
The UK government recently gave the Chinese telecoms giant Huawei the go-ahead to supply equipment for the UK 5G data network despite various warnings that it poses a security risk. Brendan McGarrity says the threat is well documented: “The industry well knows which manufacturers’ equipment present the greatest risk of providing the ‘back door’ into a company’s IT infrastructure. The simple act of failing to change the default password at the point of installation creates enormous risk.
“Of course, this does not mean that such equipment does not have its place in the security industry; risk has to be proportionate. But it does mean that for higher-end, enterprise-wide systems, integrators need to be more circumspect in the technology that they specify, and in the testing that they undertake.
“While we only work with high-end manufacturers’ equipment in the first place (often CPNI accredited), we also prefer to test the integrity of the entire system once it has been designed, to ensure it cannot be compromised. Crucially, this testing is undertaken before the system is then installed on-site, avoiding the disruption this can invariably cause.
“Working with high-end manufacturers also gives us the comfort of ongoing technical support and allows us to perform a managed process for software upgrades.”
As well as the equipment, Brendan says the greatest risk is within the network itself: “Typically, a security system on its ‘own’ network is preferred, both from a practical perspective (i.e. bandwidth) but also from a ‘general’ security perspective; a problem with the corporate network not only compromises the company’s administrative systems, PCs, servers etc, but also effectively ‘disables’ the security installed, leaving a business prone to attack from more ‘traditional’ sources!”
He also says there needs to be greater collaboration and understanding across departments: “IT people are not security experts, and security people tend not to be IT experts, so it is vital that both parties work together to achieve the outcomes they are looking for.”