Who’s on first? What’s on second? I don’t know who’s on third?
That’s an old comedic bit from the classic comedy duo Abbott and Costello meant to convey how a lack of communication can doom a team. A similar lack of communication can leave your business vulnerable to a breach.
Recently, I was speaking with a business owner over the weekend who owns a commercial office complex. He was telling me how he experienced a hack of their office’s security cameras that panned the 100+ spot parking lot. There was no apparent damage done, although hacker’s motive is often unclear until something ugly rears its head.
The business owner explained to me that he thought the IT company he hired to take care of the office complex IT was also in charge of the parking lot cameras. Meanwhile, the IT company thought the maintenance department, which has a separate chain of command and IT structure, was managing of the cameras. And the maintenance department thought it was the responsibility of the third-party vendor who oversaw the parking lot to manage and maintain the cameras. Each thought it was another vendor’s duty to take care of the cameras. In other words, everyone assumed someone else was taking care of cybersecurity for the cameras.
In this case, you’re just talking about one office building, but can you imagine how complex and multilayered an urban skyscraper or a hospital can be?
Know Who is Responisble for What
“Whether it’s because it’s easier to not think about the issues or to believe that it’s someone else’s responsibility, people tend to want to think that because an item looks secure and is bought from a reputable source, that they do not need to worry about the security of their IoT devices.”
The same article points out that 47 percent of the most vulnerable devices are security cameras installed on company networks, followed by smart hubs (15 percent), and network-attached storage devices (12 percent).
Turner tells us that those three areas can fall within the purview of different segments of an IT organization residing within the same building. Hackers are often aware of this, which can lead to “open loopholes” they can easily exploit to breach a network.
“It can be something as simple as an IoT coffee machine. If an outside vendor, a coffee company, services the machine, they may or may not be in charge of its security, especially if it is using the on-site Wi-Fi,” Turner says.
Know Who’s on First
To begin with, outsourced IT companies need to directly inform you what they are responsible for and what they aren’t in their service contracts. IT companies that once simply monitored networks are now often in charge of user training, cybersecurity, and hardware disposal. Because these IT companies are tasked with an increasing amount of work, it has become all too easy for bottom lines to become eroded by scope creep, and for confusion over who is responsible for what to perpetuate, which isn’t desirable for anyone.
I’ve overheard office conversations where anything remotely IT-related comes up, and the person just automatically assumes “oh, the IT company will take care of it.” Well, no, not necessarily.