Preventing a Data Breach at Your Monitoring Center

servers in a server room at a data center

by Josh Tafoya, Technical Trainer

We’ve seen the recent news about the data breach at Equifax. Half of the adults in America were affected by it through no fault of their own. How, or even if, Equifax makes good on its mistake remains to be seen. But similarly, we are all in the business (beyond responding to alarms) of protecting sensitive data. Whether it is implicit because we have a reputation for keeping our customer’s information private, or whether it is spelled out in our privacy policy, our customers expect that their personal information will not be made public.

There are the small monitoring centers who can’t afford for information to be leaked because any kind of data breach might have consequences too large from which to recover. There are proprietary customers (retail or private business) for whom a data breach might give others a competitive advantage. There are medium and large monitoring centers who might experience a mass exodus of dealers if private data were to get out. Finally, there are government customers who face far more serious consequences for data breaches.

The short version is that none of us can afford to have our private data accessed by anyone outside. But there are things we do here at Bold, and things that you can do, to protect your data. For instance, at Bold, steps were taken when Manitou and its various bits were being planned, designed, and created to address data protection.

  • The first, and often most obvious, is the segregation of data for BoldNet, BoldNet Neo, and BoldNet Mobile. These applications were designed in a way so customer data is not stored on the web server.
  • Another design of Manitou is access controls into the software. I don’t mean a card swipe that gets you in the door; but rather, the ability to allow or disallow users from logging in. Even if someone were to gain access to your network, and even if they were able to install the Operator Workstation client software, they would still need to be patched from the server, and further, they would need to be authorized from an existing Supervisor Workstation before they would be allowed to review customer data or cancel alarms.
  • Passwords are another thing. Manitou logins for operators are purposely separate from Windows domain credentials but can be made as secure, if not more. Manitou can force password complexity and change intervals. ManitouNEO takes it a step further to address new UL 1981 Rev. 3 standards, by requiring a minimum of six characters, with at least one alpha and one numeric, not allowing a sequential series or derivative of a user name, and not allowing the reuse of a password within the last six changes.

There are also multiple things which should be done to prevent a monitoring center data breach from an IT standpoint. Some or all of these might seem like common sense, but experience has shown me what seems like common sense to one person isn’t necessarily for another one.

  • Network access is the first thing I want to talk about. Anyone with sensitive customer data should have a decent firewall. If a web server is present, there should also be a DMZ. I don’t mean the fifty-dollar item from Walmart. A competent IT Professional will be able to recommend an appropriate piece of equipment.
  • Also regarding network access, Wi-Fi networks should be secured. More than that, if Wi-Fi isn’t absolutely required, it should be avoided. If it can’t be avoided, there are steps that can be taken: a separate network for general internet access, not broadcasting the SSID, requiring MAC Addresses to be entered on the access point. Again, the basic Wi-Fi router on sale at the local big box store isn’t going to cut it if you want maximum security.
  • Virus software should always be kept up to date. With some of the recent viruses, this one should have been taken care of months ago. If not, make it a top priority.

Your IT Professional should be able to suggest a course of action to secure your network. Their ultimate question should be, “How easy do we want to make it for bad guys to gain access to our data?” Obviously, that may be one of many questions being asked simultaneously, but the question must still be asked.

There are dozens of other things to consider. Too many for a single blog post! Count on your IT Professional for guidance. Neither you nor we want your monitoring center to be the next headline for a data breach, whether in your local newspaper or anywhere else. We’d rather see headlines showing how you are growing and succeeding!