Why access control has become an important front in the war against cybercrime

A Hiscox report has found that spending on cyber security from businesses has doubled since 2019. Tomáš Vystavěl, Chief Product Officer at 2N TELEKOMUNIKACE, investigates why access control has become such an important asset in the fight against cybercrime. 

Earlier this year, Hiscox published its Cyber Readiness Report 2021. It was based on a survey of more than 6,000 companies based in the US, the UK, Spain, the Netherlands, Germany, France, Belgium and Ireland. One of the most eye-catching findings was that, spending per business on cyber security has more than doubled in the last two years.

However, this increased spending has been a rational response to the growing threat level. Based on Hiscox’s study, more firms were targeted by criminals in 2020 than in 2019, and 28% of businesses that suffered attacks were targeted on more than five occasions last year. Almost half of respondents said that they felt their organisation had become more vulnerable to cyber attacks since the start of the pandemic, rising to 59% among businesses with more than 250 employees. Of those targeted, about one in six businesses said a cyber security event threatened the viability of their business. The survey also found that a payment had been demanded from around one in six of those hit by cyber criminals, with more than half paid.

Hiscox went on to assess firms’ maturity across six different areas of capability which comprise the elements required to install, run, manage and govern an effective security system. One of those six areas was, ‘Identity and access management’, and, across all the companies surveyed, it came second bottom of the list.

Why is access control an important part of a cyber secure programme?

The truth is that access control has not always been front of mind when it comes to cyber security, and many companies are still playing ‘catch up’ in this area, but this is changing fast. More and more companies now appreciate that if access control systems are compromised, the daily operations of the building – and, consequently, its residents – could be at risk.

These companies are prioritising measures to address the most urgent threats – five in particular:

1. Man-in-the-middle attacks (MitM) – an attack where a hacker connects to a network and eavesdrops on communication between terminal devices. In this way, door opening codes and device login passwords can be hacked.
2. Password/dictionary attacks – an attack where a hacker tries to guess the password to enter the device (normally using a password generator and trying different options).
3. Unauthorised connection to a LAN network – the intercom or reader can be installed on the outside of the house and there is a potential risk that someone will break the intercom and use the UTP cable to connect to the LAN network.
4. Unauthorised views of the intercom camera – it often happens that IP cameras are installed with a default password, and basically anyone can connect to it and watch what is happening.
5. Malware attacks against mobile devices – mobile credential-based access control systems are increasingly popular, primarily because of the convenience they offer. However, they have also been a target for hackers, who have tried to attack smartphones with credential-theft, surveillance and malicious advertising.

These threats are not restricted to the cyber sphere. Compromising access control can also pose a physical threat if criminals are able to sneak into a building. Even when physical security is not breached, cyber attacks can cost millions in regulatory penalties, disrupt core business functions, and threaten corporate reputations.

Defending access control systems from cyber attacks: What are basic rules of engagement?

It is clear that threat levels are increasing, and there are some basic ‘good practice’ measures that companies should take to protect every aspect of their IT systems. For example, using strong, complex passwords, conducting regular security audits of the IT infrastructure to identify and eliminate possible vulnerabilities, and training the security team responsible for protecting the building’s IT infrastructure on the most common threats and how to address them.

On top of that, focusing on access control specifically, there are some additional rules that companies can follow which can make a huge difference:

• Pursue compliance with a proven security control framework. Two of the most respected are ISO 27001 and SOC 2. These guide companies in creating secure systems and processes.
• Make sure the access control system includes the use of encryption and multi-step authentication. This protects communication between devices, controllers and mobile devices, and ensures no back doors for ‘maintenance purposes’.
• Create an independent network, dedicated exclusively to devices that handle sensitive information and ensure that communication between them is encrypted. Place these devices to a separated virtual LAN (VLAN) and ensure that manufacturers of installed devices or software use implementation protocols such as HTTPS, TLS, SIPS or SRTP by default.
• Create different accounts with different privileges. Doing this ensures that users will only be able to make changes related to their specific tasks, while the administrator will be given greater privileges to manage the building and all linked accounts.
• Update the software regularly. Installing the latest firmware version on devices is important to mitigate cyber security risks. Each new release fixes bugs found on the software by implementing the latest security patches.
• Train your employees to avoid social engineering threats. The human element is the most vulnerable part of any system, and attackers can trick people into making security mistakes or giving away sensitive information. It is therefore necessary to train employees regularly and invest in their awareness of cyber security.

These are not complicated rules, and they needn’t be expensive to follow either. Indeed, as the war against cyber-attacks and data breaches intensifies, which company can afford to ignore them?

More information about intelligent access control and expanding cyber security needs can be found in 2N’s white paper, The Evolution of Access Control.

Subscribe to the IFSEC Insider weekly newsletters

Enjoy the latest fire and security news, updates and expert opinions sent straight to your inbox with IFSEC Insider's essential weekly newsletters. Subscribe today to make sure you're never left behind by the fast-evolving industry landscape.

Sign up now!

Subscribe to the newsletter ✉️