With technology ever-evolving, federal, state, and local governments across the globe have implemented new tools and processes to make their cities more accessible, efficient, and secure. From IoT devices, including cameras, traffic signals, and public transportation to city management systems and public data, cities all over the world are making an effort to become “smart” cities. But an increase in new smart technologies comes with an increase in cybersecurity risks; something that not all smart cities know – or are capable of – mitigating. This leaves us wondering: Can smart cities also be cyber-secure cities? What’s the difference between smart cities and cyber-secure cities?

What Makes a Smart City Different Than a Cyber-Secure City?

While smart cities utilize many innovative technologies with the intention of enhancing the lives of residents and increasing the efficiency of the city itself, smart cities are not technically always secure. Even if a city implements the latest, most innovative technology, it doesn’t always mean it’s secure. In fact, smart cities who rush to implement the latest innovative technologies may even increase the likelihood of experiencing a data breach or security incident because they don’t have effective cybersecurity strategies already established, leaving them even more susceptible to existing and new vulnerabilities. And even if a smart city does establish cybersecurity policies, new smart technologies increase the attack surface, introduce new vulnerabilities, are susceptible to DoS attacks, and often have encryption issues.

Examples of Smart Cities

To better understand the difference between smart cities and cyber-secure cities, let’s take a look at how the following cities have integrated new, innovative technologies into their infrastructure to change how their city and residents function.

  1. Barcelona: In 2012, Barcelona began rolling out technologies in an effort to become a smart city. This included adding smart technologies in various sectors including waste management, street lighting, public transit, and parking. For example, their waste management system became more efficient for citizens when they implemented a new smart waste device for waste disposal. Additionally, to solve their parking issues, they implemented a sensor that guides drivers to open parking spots.
  2. Sydney: Sydney has implemented various smart technologies including smart traffic controls, smart video surveillance, smart parking, smart public transportation, and smart waste management. Their smart public transportation system, like many other cities, offers a contactless fare collection system, making the ticketing and riding process much more efficient for passengers.
  3. Dubai: Known for its innovative architecture, Dubai is ahead of its time in many ways. Like Barcelona and Sydney, this smart city has implemented smart technologies including smart government services, smart energy and water, smart parking and traffic, smart cameras and security, and smart street lighting, and has plans to roll out even more smart city initiatives including an Artificial Intelligence Lab, paperless government, and a “happiness” agenda.

Examples of Smart and Cyber-Secure Cities

  1. New York City: A city known for its infrastructure, transportation system, government, and so much more, there’s good reason NYC was named the “smartest city” in 2017. This metropolis’ implementation of smart technologies, including surveillance cameras, traffic detection systems, smart street lighting, smart waste management, and wireless water meters – coupled with their Cyber NYC Initiative demonstrates their focus on improving the livelihood of residents through smart technology and also their commitment to keeping their citizen’s secure with strong cybersecurity policies.
  2. London: Much like NYC, London has positioned itself as one of the top smart and cyber-secure cities in the world. They’ve incorporated traffic sensors, surveillance cameras, smart street lighting, smart parking, and their famous underground railway system to make their citizens’ lives easier, all while continuing to focus on cybersecurity and protecting their citizens from experiencing the effects of a breach. For example, like Cyber NYC, London’s cybersecurity startup accelerator, Cyber London, or CyLon, is dedicated to helping businesses develop information security technology and products, furthering the city’s focus on cybersecurity. London is also home to some of the world’s most prestigious universities and research facilities, making it an attractive hub for cybersecurity professionals, and thus a smart and cyber-secure city.

Does the city you live or work in utilize smart technologies? Want to make sure that your city is both a smart and cyber-secure city? Contact us today to learn more.

More Cybersecurity Resources

What is Cybersecurity?

How to Lead a Cybersecurity Initiative

When Will It Happen to You? Top Cybersecurity Attacks You Could Face

GDPR and Marketing: Why it Matters

Has your organization considered the GDPR implications for marketing? Because of the misconception that GDPR is solely for lawyers and information security teams, many organizations don’t realize how their marketing activities impact their privacy efforts. GDPR is more than a data privacy law. Instead, GDPR is a mandate that affects how organizations market, collect, use, and store consumers’ personal data, so GDPR compliance and awareness are just as important for the marketing departments as they are for IT departments.

Here’s what organizations need to realize: whether or not your core services relate to marketing, you must understand the GDPR implications for marketing at your organization. Why? Because in the year since GDPR became enforceable, most data subject complaints relate to marketing. This means that if marketing is necessary to your organization and you market to data subjects, you must know the GDPR implications for your organization.

In this webinar, our Director of Regulatory Compliance, Mark Hinely, will discuss how to identify privacy regulations apply to your marketing activities, the benefits of following privacy best practices, and what exactly those privacy best practices are that your marketing team should be following. By the end of the webinar, you’ll learn about these four key takeaways:

  1. Marketers need to identify a legal basis for their marketing activities.
  2. Marketers must review their privacy policies and ensure that they articulate what third parties are used during marketing activities, what personal information is used for marketing activities, and the legal basis for marketing activities.
  3. Marketers need to understand data subject rights, especially data subjects’ absolute right to object to direct marketing.
  4. Marketers must monitor member state publications to stay up to date on updates and enforcement actions.

Ready to watch the full webinar? Want to learn more about how your organization’s marketing activities can meet privacy requirements? Contact us today.

Managed service providers (MSPs) have a unique role: they are entrusted by other organizations to fulfill some or all of their business functions. Often times, organizations hire MSPs to create and maintain strong security postures, and when these organizations partner with managed services providers, they want to know that they won’t bring more risk into their environment. So, how can they ensure that they won’t increase risk?

How Can MSPs Demonstrate That They’re Secure?

What would it cost you if your organization compromised client data because of insecure managed services? How would you be impacted if your services were hacked? MSPs cater to various industries and are likely to interact with a number of various sensitive assets on a regular basis. After all, as vendors, MSPs rely on the data of other organizations to fuel their business. Because of this, MSPs must make it a priority to ensure that they offer secure services, and they can do this by undergoing annual information security audits.

Common Frameworks for Managed Service Providers

While managed service providers may be required to comply with various frameworks and legal regulations depending on the industry they’re in, types of organizations they work with, and services they offer, we believe that MSPs should consider undergoing audits for the following common information security frameworks. By doing so, managed service providers will be able to find and mitigate vulnerabilities in their security posture, assure their clients that they are secure, and get assurance by a third-party auditing firm that they are doing everything they need to be doing to keep their clients’ sensitive assets secure.

  • SOC 1: When you engage in a SOC 1 audit, an assessor will review your internal controls over financial reporting. For managed service providers who are outsourced to provide financial reports to other organizations, a SOC 1 audit may be necessary.
  • SOC 2: As an MSP, it’s likely that your customers will want to verify that you’re doing everything that you can to secure their sensitive assets. Undergoing a SOC 2 audit is a key way to demonstrate this. Why? By engaging in a SOC 2 audit, you can ensure your current and potential clients that their information is secure, available, and confidential.
  • PCI: Many businesses in the retail industry partner with MSPs to outsource some of their business processes. As an MSP, if your services get compromised by a malicious hacker and your clients’ payment card information is stolen, how would that impact your business?
  • HIPAA: Do you provide managed services to healthcare organizations? If so, you would be considered a business associate and are thus responsible for ensuring that you comply with the HIPAA Security, Privacy, and Breach Notification laws.
  • GDPR: If part of your managed services involves working with organizations located in the EU or with the personal data of EU data subjects, you’re responsible for complying with GDPR.

Benefits of Information Security Audits for MSPs

If your clients can’t trust you to ensure that their sensitive assets remain secure, then why would they do business with you? As a managed service provider, and trusted third-party vendor, undergoing information security audits is so much more than something to check off a to-do list. Instead, it’s an investment that will result in a stronger, more robust security posture, a competitive advantage, and most importantly: peace of mind for your clients.

Regardless of the industry or type of organization MSPs partner with, ensuring that people, processes, and technologies used to deliver your managed services must be a top priority.  Want to learn more about how KirkpatrickPrice can help you secure your managed services? Contact us today.

More MSP Resources

How Can a SOC 2 Bring Value to MSPs?

When Will You See the Benefit of an Audit?

5 Questions to Ask When Choosing Your Audit Partner

What Type of Compliance is Right for You? 10 Common Information Security Frameworks

Why is cybersecurity for airports important? According to the FAA, more than 2.6 million passengers fly in and out of US airports on a daily basis. That’s 2.6 million people who rely on – and expect – airports, airlines, and aircrafts to deliver secure services. As the cybersecurity threat landscape continues to evolve, it’s more important than ever that the airline industry understands and effectively mitigates the risks they’re faced with. After all, whether it’s an airport, an airline, or an aircraft, there are cyber risks in every facet of the airline industry.

Cybersecurity Threats Before You Get to the Airport

You don’t have to physically be inside of an airport to experience a breach. In 2018, British Airways announced that 380,000 transactions were compromised during a breach of the airline’s website and app. Fortunately, no travel or passport details were compromised, but payment information was obtained and linked back to Magecart, a threat group that has compromised over 800 e-commerce sites worldwide.

Air Canada experienced a similar breach of its mobile app, which resulted in compromised personal information, including passport numbers, of approximately 20,000 users.

When you consider all the components that make the airline industry successful and innovative, you realize just how important cybersecurity for airports must be because of how many attack surfaces are available to hackers. How could thorough, continuous penetration testing have changed or prevented these breaches? How could a tried and true detection and monitoring system have alerted airlines earlier?

Cybersecurity Threats Inside of Airports

Physical security is of the upmost importance to airports, but cybersecurity for airports goes hand-in-hand with physical security. Why? Cybersecurity attack vectors can be inside of airports themselves.

The US Customs and Border Protection (CPB) program called Biometric Exit, has caught privacy professionals’ and consumers’ attention. Biometric Exit is a facial recognition system currently being rolled out at departure gates in 17 airports across the US. By 2021, the CPB hopes that 97% of airports will be able to utilize this technology. The idea is to increase efficiency by replacing manual identity verification – no more interaction initially needed between a passenger and an airline employee. But biometric technology brings up so many privacy and cybersecurity issues: what other ways could airports use facial recognition technology? Who is collecting this data, and where is the cross-reference data coming from? Are they using the data in any way other than identity verification? How long is biometric data being stored? Is the public allowed to have an opinion on when, where, and how this technology is implemented? How will this program impact cybersecurity for airports?

The flight information displays at Cleveland Hopkins International Airport recently went blank, with all other systems functioning. Email temporarily went down, but no other operations were impacted. This incident is still under investigation by the FBI, plus city and airport officials. The immediate assumption is that this was some type of cyber hack, but no conclusions has been found yet.

In-Flight Cybersecurity Concerns

There is an obvious and major concern for protecting aircrafts themselves from cybersecurity attacks, but how else could an aircraft be compromised? Along with new technology in airports comes new technology in aircrafts. Cameras have been fitted to airplane seats, specifically when there is in-flight entertainment technology, and two senators have raised privacy concerns. They’ve asked 16 international airlines the following questions:

  • Does your airline currently use, or has ever used, cameras, microphones, or sensors to monitor passengers?
  • What purpose do the cameras, microphones, or sensors serve and in what circumstances may they be activated?
  • If you have or currently do utilize cameras, microphones, or sensors to monitor passengers, provide details on how passengers are informed of this practice.
  • Provide comprehensive data on the number of cameras, microphones, and sensors used by your fleet, and the type of information that is collected or recorded, how it is stored, and who within your airline is responsible for the review and safekeeping of this information.
  • Confirm what security measures you have in place to prevent data breaches of this information, or hacking of the cameras, microphones, and sensors themselves.
  • Are the cameras used in any biometric identity capacity, and if so, under what authority?

The senators have proposed bipartisan legislation, the Passenger Privacy Protection Act of 2019, in hopes of prohibiting airlines from having cameras in in-flight entertainment systems. If not properly secured, could this technology be the next attack vector for malware?

The Need for Effective Cybersecurity Strategies

Effective cybersecurity strategies for airports, airlines, and aircrafts keep passengers, their data, and their privacy safe. We haven’t seen a major cyber attack on an airport yet and we hope that cities across the globe take the responsibility of cybersecurity for airports seriously. If you’re interested in learning more about effective cybersecurity strategies, contact us today.

More Cybersecurity Resources

Ransomware Alert: Lessons Learned from the City of Atlanta

Horror Stories – 5 Cities Victimized By Cyber Threats

How Can Penetration Testing Protect Your Assets?

We find that managed service providers (MSPs) are often reluctant to take responsibility for the risks that they pose to clients. Their clients, though, may assume an MSP does take hold of a particular risk – and here lies the problem. When this type of miscommunication occurs, it leaves major gaps in organizations’ security posture. So…who owns the risk?

Shifting the Risk

When an organization engages with one or more MSPs, they must understand the concept of shared responsibility. MSPs and their customers must work together to meet security standards and expectations. Working with an MSP doesn’t remove the risk from the customer, it shifts it. Protecting systems like database servers, firewalls, switches, authentication services, and log servers means there is a distribution of risk between the MSP and the customer. As an MSP, you must clearly define what is within the scope of your responsibilities to your client. Customers do inherently accept some risk, but not all of it. You’re providing important, essential services – take that responsibility seriously. Your customers are putting their trust in your services. MSPs depend on trust. If a client can’t trust your services, why would they choose to use you?

Don’t fall into the trap of getting too comfortable with risk when you partner with an MSP.  As an organization engaging with one or more MSPs, you must remember that you cannot outsource your reputation. Your reputation will always be at risk – and your responsibility. It’s up to you to vet MSPs and hold them to a high standard.

Benefits of Owning Your Risk

Pursuing challenging compliance goals, especially before you’re required to, may seem like too much work, money, or time. We believe, though, that when an MSP proactively undergoes something like a SOC 2 audit, it demonstrates that they are invested in providing secure services and ensuring that their clients’ data remains protected. Achieving compliance objectives before your competitors or before you’re asked by a game-changing prospect prepares you to own your risk.

MSPs’ reputation, business continuity, competitive advantage, and branding all depend on the quality and security of their systems and can benefit from SOC 2 compliance.

Owning your risk…

  • Makes you aware of where your vulnerabilities are and how that impacts your clients
  • Gives you a direction for where to mitigate risk
  • Gives you a competitive edge, puts you above the rest
  • Protect your reputation
  • Eventually, makes you and your customers more secure

If you’re an MSP who is hesitant to undergo an information security audit, consider the implications of suffering a data breach or security incident. The negative implications are only to your reputation a ripple effect; once your customers’ information systems or data is exposed, you’re on a path full of obstacles and fragmented security. Your reputation will be permanently changed. Clients will stop trusting you, prospects will stop inquiring about your services, and lawsuits and fines will begin to surface. The continuity of your business depends on securing your systems and proving that you are, in fact, a secure MSP.

Have questions about how to achieve compliance goals or start the compliance journey? Contact us today.

More Resources for MSPs

About Risk Assessments & Management

How Can a SOC 2 Bring Value to MSPs?

How to Accurately Define the Scope of an Information Security Assessment

Auditing Basics: Carve-Out vs. Inclusive Vendors