Health Security Check - Tip #8
„For access control, opt for systems whose IT security is continuously being rigorously checked.“
Thomas Herling, Global Business Owner (GBO) Electronic Access and Data (EAD)
Security Tips IT security
Honestly – can you in all certainty say you have an eye on all the critical points in your company to permanently ensure the IT security of your processes and systems?
Two heads are better than one. That’s why we rely on the support of independent IT experts when developing and maintaining our access control and attendance recording solutions. This includes the Swiss consulting company Redguard, which specialises in IT and information security. They have supported dormakaba with the development process of the cloud-based access solution exivo and worked with us to create guidelines for the development of secure software. Software, however, only remains secure in the long term with the latest updates. Regular inspections within the framework of a maintenance contract contribute to this.
If you want to know more about the threat to your company and your access solutions, read our interview with Dominique Meier, Partner & Head of Operations at Redguard. He also provides an insight into which factors are critical for your IT security.
Interview with Dominique Meier, Senior Security Consultant & Head of Operations at Redguard
dormakaba: How well do you think European companies are positioned in terms of IT security?
Dominique Meier: This is very much dependent on the individual industries, and there are huge differences. I see that there is a lot of catching up to do, especially in small and medium-sized enterprises. Digitalisation is a growing challenge. As a result, IT security is suddenly becoming an issue for more and more industries and companies. At the same time, it is also clear that not everyone is perfectly positioned from the beginning. Things are moving fast, and completely new requirements arise – e.g. in the healthcare industry, with electronic patient records or due to Industry 4.0 with networking beyond the company network. Studies show that many companies do not yet have sufficiently developed technical skills to deal with this topic on their own.
dormakaba: How real is the threat of cyberattacks?
Unfortunately, it is very real – with very real consequences. In mid-2019, for example, there was a hacker attack on the building technology specialist Meier Tobler in Switzerland. The company estimated the damage at five million Swiss francs. In addition, special costs of one to two million Swiss francs were incurred to deal with the attack. A member of staff had booked a hotel online and the virus infected the company via the booking confirmation.
dormakaba: And what about access solutions?
Solutions for access systems are only as secure as the current security standards, which are constantly changing. That’s why dormakaba has its products and processes reviewed by independent IT experts and has worked with us to draw up guidelines for developing secure software. A current example can be found in RFID transponder cards for electronic access control. Older-generation systems such as MIFARE Classic or LEGIC prime no longer meet current security standards, which means that the cards can be read or copied. It has long been known that this vulnerability exists. Nevertheless, these RFID technologies are still widely used.
dormakaba: Where do you see the biggest vulnerabilities in IT security?
Of course, the technology offers many points of attack, but the weakest link in the security chain are usually people. Which is why it’s important to keep employees and customers aware of the dangers at all times.
dormakaba: What do you recommend to companies that want to improve their IT security?
They must address the issue holistically and include the technical, human and organisational aspects. Anyone who has purchased a firewall and virus protection is not automatically on the safe side. Only by examining the entire chain can one create the basis for establishing IT security sustainably. It is a question of defining processes and responsibilities. And it’s important to clarify, based on the business strategy, which level of security should in fact be achieved.
dormakaba: Are there checklists to help one adopt the right measures?
Yes, there are many different implementation guidelines. These include, for example, established standards such as DIN 27001 information security management systems or, in Germany, the IT-Grundschutz compendium (basic IT protection compendium) of the BSI. This is a good framework that can help identify relevant threats and appropriate measures.
dormakaba: How important is the testing and maintenance of software – also with regard to access and time management solutions?
In my view, this is a must. Otherwise, it means literally opening the door to criminals. Only regular security updates ensure that you stay up to date and are prepared for potential attacks. This applies to all systems. In 2017, there was a critical vulnerability in Windows that was patched very late by many companies. That’s why it had a major impact. As a result, in England, for example, sixteen hospitals were completely offline and had to turn away patients. Hackers had encrypted the data and demanded a “ransom” amounting to millions.
IT security is not something you do once and then everything’s OK. It’s an ongoing process. You have to keep checking to see whether the threat level and the system have changed and then make the necessary adjustments.