Beat the cyberthreat

Universities must evolve their security standards faster to ensure students are protected, says Gallagher Security’s UK and EU manager, Richard Huison

The word ‘cyber’ is on the lips of every client I see at the moment – and normally in fearful tones. It’s no surprise when theft of data and disruption to organisational continuity is so threatening.

The WannaCry ransomware attack two years ago affected 230,000 computers in over 150 countries in just one day, which were exposed through a vulnerable SMB port. Organisations from the Université de Montréal to FedEx and from Russian Railways to the UK’s National Health Service fell victim.

The trouble is that hackers can exploit the disparate systems on their networks, often through remote access granted by universities to third-parties precisely to manage the risk. Bring your own device (BYOD) presents perils, too.

And some manufacturers of security equipment who are expected to provide the solution may increasingly be part of the problem!

Countering the threat

I’ve declared that helping organisations to counter the cyberthreat is Gallagher Security’s number one priority – as we do with King’s College London, for instance.

KCL attracts 29,600 students from 150 countries – including more than 11,700 postgraduates – and employs more than 8,000 staff.

That amounts to roughly a million movements per month through 3,600 doors in more than 100 buildings across a combined campus area of 411,004 sqm – all controlled via a single Gallagher Command Centre.

We insist on compliance with the various global government standards – such as the UK’s Cyber Assurance Products, the US’s FIPS and Australia’s Type 1A – where genuine cyber-resilience will be found. This way, as the threat landscape evolves, so will the encryption standards to resist concerted cyberattacks.

It is essential also that you keep application software and your Windows environment bang up to date for the same reason.

Ensure that personal data fields reside on a secure and encrypted sequel database with a single random system-generated key code to ‘unlock’ the database, owned by the company and not any security consultants.

Minimise the data that you keep and constantly remove inactive cardholders to ensure a ‘single source of truth’, integrated with the organisation’s HR system.

Pre-register all visitors to your site, ensure they view and acknowledge your GDPR policy and give their consent for the data you collect, then automatically erase the visitor data once they have left.

The trouble is that hackers can exploit the disparate systems on their networks, often through remote access granted by universities to third-parties precisely to manage the risk

Keep tight control of user privileges on your network and enforce a robust password policy.

Protect against any tampering of access control card readers by ensuring all readers are fully monitored, with electronics potted and protected and full end-to-end encryption with 256-bit Elliptic-Curve Cryptography (ECC).

If unique keys are shared between controller and reader, then a substitute reader will not be recognised and simply will not function.

The most secure card technology to use is Mifare DESFire EV2. However, a better and more cybersecure way may be to scrap card technology altogether and go for mobile credentials.

The smartphone with Bluetooth wireless technology is revolutionising access control and negating the need to issue cards. The same mobile device can be used across multiple sites, with fast, remote, secure and simple provisioning of each device.

We’re ensuring our access products support either PIN, fingerprint or iris biometric authentication, when this is offered by users’ phones. Access credentials are issued to mobile phones using the FIDO Universal Authentication Framework (UAF) protocol, which allows each user to select their preferred method of secondary authentication. Unlike other methods, the FIDO UAF protocol does not require the authenticating system to store user biometric or PIN information.

So, secure two-step enrolment and scheduled two-factor authentication with the user’s finger or face ensure absolute security with no personally identifiable information left in the cloud. 

You might also like: Less than 4 in 10 UK parents have installed security protection on their child’s phone