By David Peeples

No matter what business you’re in, it’s time to step up your cybersecurity game. 

At Intellisoft, our core business is identity and access management—badges and clearances—for airports and federal buildings. Yet, we learned that even as a cutting-edge security company, we weren’t meeting the reality of today’s cyber threats. 

Who opened our eyes? A dream customer. 

Three years ago, we were fully confident in our latest-generation intrusion detection, firewall, anti-malware, anti-virus technologies and cyber policies. Then, a bid to work with the Port Authority of New York and New Jersey (PANYNJ) showed us what a top-notch cybersecurity regime should look like. 

Setting standard for partners

Our customer knew they couldn’t be secure unless we were secure.

So, before we could even see their RFP documents, PANYNJ required deep background checks and information security training. Not even the U.S. Department of Defense required such vetting. After winning the project, they wanted more. 

They required us to obtain an ISO-27001 certification that involved in-depth risk assessment, developing controls to mitigate risks, creating an in-house information security management team, and more. We also had to undergo an AICPA SOC 2® Type 2 audit, which evaluated our network connectivity, firewall, hardware, data transmission, and other critical operations.

It was a lot. But, it made me wonder why businesses usually ask so little from our partners. And, why wasn’t Intellisoft asking for this level of cybersecurity from ourselves? 

Changing threat environment

I believe this level of caution should be the baseline. Think about your payroll, outsourced IT and maintenance. All of these are potential third-party entry points into your company. If you provide such services, then you might be the risk to a customer.

Hacking is easier than ever. Attackers can hire somebody to hack you, or just buy off-the-shelf tools to get through your systems. Hackers are getting deep into partner relationships, so you need to go deeper. 

You’re not going to hear most people talk about their internal ISO certifications or security audits. However, I’ve come to see that level of depth as a preemptive strike against the cybersecurity time bombs we all face today. Too many companies don’t make cybersecurity a priority until disaster strikes.

Bottom Line Impact

A former assistant director for cybersecurity at the FBI told me he’d never seen a company hit with a ransomware attack that did not pay the attackers. If you get hit through a third-party system, it’s going to cost you. If your third-party service puts your customers in a jam, say goodbye to your money, your reputation and possibly all of your data.

On the other hand, stepping up to the challenge PANYNJ laid down strengthened our business. Previously, we hadn’t launched more than three airport projects in a single year. Over the past 16 months, however, we implemented six airports—half of those under Covid-19 restrictions. The rigorous cybersecurity culture we’d adopted paid big dividends when we approached subsequent prospects.  

Ongoing cybersecurity culture

It took the willingness of our entire team to create a cybersecurity culture that enabled real business impacts. Now, everyone understands what a truly secure environment looks like when we are entrusted to create one with our partners. No matter what your industry, getting serious about cybersecurity sends a signal that you’re a company to partner with for the future.

If you’re hearing this call to action loud and clear, please don’t hesitate to take at least a few first steps to creating a cybersecurity regime that’s ready to handle today’s threats. Don’t assume hiring the best IT talent is enough. Your biggest insider threats are untrained employees. Just one employee who falls for a phishing attack is a gateway to those hackers-for-hire. Cybersecurity must be top of mind among all personnel. 

This is not a “one and done” event, which is why we now have quarterly cybersecurity training for all Intellisoft employees. We bring in outside companies to test our controls and our people.  And I’m writing this as we undergo our annual ISO audit. 

In truth, I probably underestimated the amount of resources it would take to foster a cyber-first culture. In the end, however, I couldn’t possibly have guessed the value it would bring to our organization and to our partners. If you’re like us, working in an industry where focusing on third-party attacks and internal security culture bucks conventional wisdom, that’s okay. You’ll probably end up ahead in the long run.

David Peeples is president of Intellisoft, a company that provides identity management solutions at over 100 of the most secure facilities in the United States, including the nation’s largest airports, the Pentagon and Department of Defense. Learn more at www.intellisoft.com.

Photo by Blake Kantlehner, Blake Alan Studios