This article originally appeared in the October 2024 issue of Security Business magazine. Don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter if you share it.
Seven years and hundreds of data breaches ago, credit bureau Equifax was breached, exposing the personal data of nearly 150 million Americans. At the time, it was a shocking incident that put the dangers of allowing such a breach on the front burner for American businesses and consumers.
Yet, just a handful of weeks ago, National Public Data, an online background check and fraud prevention service, experienced a significant data breach, exposing more than 2.7 billion records with highly sensitive personal data of nearly 170 million people.
When it comes to data breaches, the last thing business leaders want is to be front-page news. In the security monitoring industry, central stations hold key data on potentially millions of subscribers, and steps must be taken to mitigate the risk of data exposure, as well as to protect the monitoring provider against paying exorbitant sums to protect this data in the event of a ransomware breach.
The average downtime resulting from a ransomware attack is 24 days. Imagine a security monitoring company offline for 24 days. Lives and safety can be at risk.
For these reasons, it is imperative for integrators to find out what steps have been taken as they entrust their clients to the services of a third-party monitoring provider. One big step in the right direction is for the provider to become SOC 2 certified.
Why SOC 2 Matters
Central station monitoring providers are not cybersecurity experts. It is one thing for a provider to say they are secure; it is another to get independent verification – a third party who can certify it is doing the right thing.
SOC 2 (Service Organization Control) is a voluntary compliance framework developed by the American Institute of Certified Public Accountants (AICPA) to ensure that service organizations manage and protect customer data in accordance with certain criteria, primarily related to security, availability, processing, integrity, confidentiality, and privacy.
Among other things, a SOC 2 audit takes a holistic look at an organization’s security, its software system protections and firmware, hardware, uptime and availability, processing integrity, confidentiality of records, and privacy. It is very thorough; in fact, a typical SOC 2 audit takes six months to complete.
SOPs and Best Practices
Not only does SOC 2 certify that an organization is taking the proper steps to safeguard its customer and stakeholder data, but an audit also enables an organization to create, follow, and continually refine Standard Operating Procedures (SOPs) and best practices of cybersecurity compliance.
Organizations like central station monitoring companies may opt for network penetration tests, where it hires companies to look at its network and attempt to hack into it and expose sensitive data; thus, revealing weaknesses and risks.
These tests and other methods can uncover new SOPs and best practices. For example, our monitoring centers’ workstations are locked down. It is not possible to put a thumb drive into one of the computers; new software cannot be installed. Monitoring center operators do not have access to anything at their workstations that extends beyond daily activities.
All passwords adhere to NIST standards, including stipulations on length, upper and lowercase letters, special characters, etc. Two-factor authentication is standard.
Another best practice is random white-hat phishing email campaigns, where random phishing emails are sent to the company, enticing clicks on links. Even the unsubscribe link at the bottom of a junk mail could be a trap.
This tests employees, trains them, and gives them immediate feedback on links they should not have clicked. It also gives tips on what they should do. In the end, it promotes critical analysis and keeps security top-of-mind for everyone, from the CEO down.
Whether they go to a third party for cybersecurity certification or just enact internal best practices, it is important to know what your monitoring provider is doing to protect the customer data that residential and commercial integrators entrust to them. Central stations must do more than meet minimum standards with the goal of ensuring this trust is never violated.
While no security measure can guarantee complete protection against all malicious actors, the SOC 2 is one of the most rigorous and respected standards available for safeguarding data.
A SOC 2 certification means you can be confident that a central station has independent verification that it adheres to best-known security practices and controls to mitigate risks, protect sensitive information, maintain operational integrity and provide reliable services, even for evolving threats.
Ask your central station provider how it protects the data that resides on its servers – it may just keep you off the front page.