Security Business Cover Story (Sept. 2021): Our expert integrator panel tackles widespread changing regulations and how to capitalize on them to expand services and increase revenue
This article originally appeared as the cover story in the September 2021 issue of Security Business magazine. When sharing, don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter.
Many economists believe data has replaced oil as the world’s most valuable resource. International online giants such as Facebook, Google and Amazon provide low- and no-cost services based on the value of collected customer data. Email, social networks and one-day product delivery hinges on learning customers’ names, gender, ages, locations and phone numbers, along with food, fashion and entertainment preferences. Smaller organizations also collect data to hone online advertising and other promotional activities.
Concerned consumers are fighting back with new privacy laws enabling them to learn what personal data is collected and how it is stored and sold. At first glance, it may appear this trend has little to do with the physical security industry; however, ignorance of these laws puts many security integrators at financial risk through hefty fines.
The European Union’s 2016 General Data Protection Regulation (GDPR) act is widely credited as the first significant privacy law, covering – among many things – data collected for access control systems and citizens’ video images captured, even inadvertently, by surveillance cameras.
In the United States, 2018’s California Consumer Privacy Act (CCPA) codified many similar regulations. Recently, New York, Virginia and Colorado enacted consumer data protection and privacy laws. Other states are surely to follow.
The privacy laws differ by state; for example, some exempt employees, while others do not. Some regulations apply to organizations doing business in a state, even if they lack a physical presence. Gross annual revenues may determine which companies are affected.
Privacy laws are not going away. Widespread changing regulations offer opportunities for well-prepared integrators to expand their services and increase revenue. Getting to that point requires employee training, new operational protocols, closer cooperation with clients’ IT teams and consistent plans for working with top manufacturers and subcontractors.
Security Business sat down with its exclusive three-member integrator expert panel – John Nemerofsky, COO of Sage Integration; Michael Ruddo, Chief Strategy Officer for Integrated Security Technologies (IST); and Brad Wilson, CPP, President and COO of RFI Communications and Security Systems – to find out how a multi-state or global security integrator should navigate and capitalize on this minefield of regulations.
Technician and Employee Awareness
All three integrators agree the first step in adhering to privacy laws is making their employees aware of the dangers of breaches to client systems. “Like anything having to do with security, the job starts with awareness,” Wilson says. “Are your employees aware? Does everyone on staff understand the sensitivity of the information they may have access to?”
Apparently not – in fact, Wilson says he has heard of technicians saving unencrypted security floorplans, drawings and network information on later stolen laptops. Also, he says, it is common to see an integrator’s van with 10 or more access control badges hanging from a rearview mirror, providing a fast-moving thief entry to facilities the technician is authorized to access.
Nemerofsky tells a story of a privacy data breach that did not require stolen access cards or a network hack. A company received a call asking for $5 million in ransom. The caller had data including the chief executive’s Social Security number and current bank accounts, company financial records and sensitive customer details. Fortunately, he was not good at covering his tracks and was soon arrested by the FBI.
“This was an inside threat, which is more prevalent than you would think,” Nemerofsky says. “This guy patiently gathered information by looking at other employee workstations that remained active after the users left. The company soon changed protocols to reduce the time information remained on display and who had access to areas with screens showing critical data.”
Awareness of privacy issues runs high within enterprise organizations, the experts say; however, according to Wilson, most integrators make the largest percentage of their sales servicing SMBs with 24 or fewer doors. “That is probably where you have the least awareness of privacy laws and the least established protocols,” he says.
Focus on the Strictest Standards
Sage, RFI and IST all work in multiple states, and some of their larger customers do business in Europe and other countries. With the proliferation of differing privacy laws, the three veteran integrators say they comply with the strictest standards where they operate most often, and usually apply them even in states without robust privacy legislation.
“With two of our offices in California – including our corporate headquarters facility – we are used to complying with that state’s standards,” Wilson says. “These are typically more stringent and generally meet other states’ requirements; however, our out-of-state regional offices can operate with flexibility when warranted.”
Ruddo says IST often works with federal departments and agencies that set regulations later adopted by other verticals such as education and healthcare. When working with commercial projects across the country, IST typically defaults to federal security and privacy standards.
“I have not done a word-by-word comparison between federal and state privacy laws,” he says. “But I would say 99.9% of the time, the federal standards will cover us in any state, locality and many highly regulated commercial markets such as healthcare, banking and utilities.”
Nemerofsky adds that it is essential to fully understand a client’s business, including how and where customers operate. “Many U.S. integrators do not think of GDPR and its privacy regulations because they do not do work in the EU,” he says. “But if their clients do, these U.S. integrators need to be aware of GDPR.”
A good example of standards set for a specific industry is the Healthcare Insurance Portability and Accountability Act (HIPAA), which creates national standards to protect patients’ medical records and other personal health information. Ruddo says hospital administrators are very familiar with HIPAA regulations, having dealt with them since 1996.
“We do not have to educate our healthcare clients about HIPAA and its privacy regulations,” Ruddo says. “But that’s not always the case with other existing and potential clients in other industries.”
Working with IT
Ruddo says before beginning a network-based security project, his team asks security directors to bring the IT team members to the table – if they are not already there. “IST grew out of an IT company, so our ability to engage an IT staff and talk intelligently has always been a mainstay of our business,” he says. “If you are not talking with IT, you are making a big mistake – the whole discussion of privacy tends to dovetail back into a cybersecurity conversation.”
Wilson and Nemerofsky agree that engaging a client’s IT department is essential for today’s highly networked systems. “If you cannot have an educated IT discussion at proposal time, you are diminishing your opportunity to win that business,” Wilson
All three integrators agree that liability resulting from breaches from an integrator-hosted system is concerning; however, Nemerofsky says liability in case of a hack – even from a hosted, cloud-based site – rests with the data’s owner, not the integrator who holds the information.
Integrators providing hosted services protect themselves by having clients sign an end-user licensing agreement (EULA), clarifying who owns the data. An exception to the liability rule would be a hack from someone on the integrator’s staff; thus, Ruddo says it is important to conduct background checks of new hires and run regular drug tests as added protection against liability.
Ruddo also urges integrators to carry liability insurance to cover problems with third-party providers required to put a privacy or cybersecurity project in place. “If the prime contract is between you and the end-user, you are going to meet the first brunt of any liability claims,” he says. “Healthcare and other top verticals already want their integrators to carry cyber insurance, and I expect to see it as the norm soon. Ultimately, protecting the systems you are deploying is going to mitigate a lot of risk to a customer’s privacy and other data.”
Integrators should use caution when dealing with subcontractors who often lack knowledge of privacy laws and cybersecurity in general, Nemerofsky says, noting that subcontractors still play an important role. “How does a customer feel about paying $165 an hour for your Cisco-certified technician to run cable when you can hire a subcontractor at a $50 hourly rate? But we will not sub out projects that have anything to do with privacy and data protection – that is work for our trained and certified staff members.”
Ruddo says integrators need to run background checks on subs, including financial records, the number of employees, office locations, and ensure the firm is licensed to do business in states where a project is located. Also, importantly, make it clear in a contract that a sub ca not further subcontract the work without advance notice and approval.
Video Surveillance and Privacy
Video is one of the most sensitive mediums, as bystanders may be captured along with criminals in security or law enforcement surveillance. Liability issues may arise if clips become public. Ruddo says global VMS and other video-related
manufacturers seeking GDPR compliance add software that quickly removes or blurs irrelevant people, license plates and other privacy-protected information from surveillance video.
Recently, facial recognition has come under fire, with cities across the country limiting or outright banning the technology. Nemerofsky says photos of employees’ faces taken to match an access control record are turned into encoded digital templates, offering nothing useable for hackers looking to access a worker’s data.
“From an industry point of view, we need to do a better job of educating the public and elected officials about what facial recognition can and cannot do in the workplace,” Nemerofsky says.
Revenue Opportunity for Integrators
Wilson says his team assumes the role of privacy tutor with some clients, which creates an opportunity to sell service packages helping RFI clients meet changing privacy laws. Those packages might include concierge services that update access control records and change passwords as necessary, as well as regular system auditing and compliance surveys that ensure the client remains in conformity.
“I believe we are heading toward the same type of regulations that require frequent testing of fire alarm and communications systems,” Wilson says. “An integrator can no longer get by just selling cameras, boxes and appliances. We must include service packages for testing and auditing the functionality of privacy protection solutions.”
Wilson added that carrying certifications such as ISO 27001 and SOC 2 (information security management standards) shows an integrator takes a strong stance on protecting privacy, giving the organization a competitive edge that could translate into greater revenue.
Nemerofsky says Sage has several ways to generate cyber-related recurring revenue. One way is a device put on customer’s networks that detects breaches and reports on other system details. “The device lets us provide our client with a monthly report card with details such as how many devices they have on the network and the number of authorized employee users,” he explains. “Clients are often surprised to see higher numbers than they expected. The device also notes the last time passwords were updated and warns of software needing updates. If they get a low grade, we work with our clients to make improvements in the next month.”
Looking to the future, the integrators believe hosted and managed services will deliver security and comply with privacy laws with a greater emphasis on subscription services producing recurring revenue.
Nemerofsky urges integrators to evaluate products and services carefully. Each month, his Sage team examines five or six new technologies.
“Sadly, there are still manufacturers without an Open Supervised Device Protocol (OSDP) solution,” he says. “They are still selling Wiegand protocol products that are not secure or conducive to protecting private data. These manufacturers are not good industry citizens. Work with manufacturers that have created cyber programs that offer OSDP and a complete protocol for handling a breach.”
“Ensure your customers understands how their data is stored and what products are used to protect it,” Wilson says. “This is key in smaller markets where end users may consider IoT products that typically have few built-in security or privacy protections, making them more subject to data breaches.”
“Be concerned about privacy in every aspect of an installation and be ready for new laws,” Ruddo says. “As clients get smarter and more regulations come out for the individual verticals, integrators must know how to deal with them.”
“Look at your transaction risks,” Nemerofsky says. “For example, if you are going to take on a project in California, with its strict privacy laws, are you going to have to spend $20,000 to become compliant for a $30,000 project?”
Jon Daum of security-centric PR firm Daum Weigle (www.daumweigle.com) contributed to the writing of this article.