printer friendly version

A strong cybersecurity foundation

In today’s digital world, it is not surprising to see cybersecurity top of mind in many boardrooms. Indeed, 96% of CEOs say that it is essential to their organisation’s growth and stability, according to Accenture.

They are right to be concerned because, according to research firm Cybersecurity Ventures, cybercrime is projected to cost the world a staggering $9,5 trillion USD in 2024. Such losses can be business-ending, without even considering the cost of reputational damage and unscheduled downtime.

The cyber-risks of video

Therefore, being aware of the risks of an insecure video surveillance system and how to mitigate these are critical skills for all security leaders. A VMS can present attractive targets for malicious actors thanks to the data collected by cameras, connected sensors, and video management software (VMS). This data can be used for blackmail or to gather confidential information. Hackers can sell footage of your building layout and staffing levels at different times of the day to criminals, for example.

IP cameras can also be used as gateway devices for larger attacks, including global distributed denial of service (DDoS) attacks that use connected cameras and other devices to send a flood of traffic to targeted websites and other infrastructure.

When it comes to protecting businesses, no two systems will be the same. The protections for a school will be very different from those of a data centre or a mine. Therefore, the first step in protecting your organisation and its surveillance systems is understanding what needs to be protected, how, and from whom, as well as the potential damage that can occur when (not if) an attack happens.

The importance of physical security

One unique aspect of video networks is how many devices are located in public, potentially vulnerable, areas. Most organisations need to install cameras to monitor busy areas, entrances, exits, and restricted areas or remote parts of a site. This can put cameras at higher risk, making it easier for attackers to gain access and disconnect devices. This means that multi-layered security to keep devices safe and separate from the wider IT network is essential. It also means that without adequate protection, a video surveillance system can be less secure than a classical IT system. That is worth bearing in mind when addressing your video and IT network cybersecurity as a whole.

Everyone’s responsibility

Cybersecurity is a shared responsibility, and IT and security must work together to build a robust cybersecurity strategy. Your IT team will need to be closely involved when implementing your video cybersecurity strategy. Because of their experience in areas like virtual private networks (VPNs) and virtual local area networks (VLANs), they will work with you on some of the foundational elements of protecting your VMS and connected devices.

Knowing who takes care of what can help you to assign accountability for things like upgrades, auditing, and penetration testing. Sometimes an external party, like a manufacturer or installer, is responsible for some aspects of your cybersecurity. Therefore, when starting your cybersecurity strategy, you will need to check:

1. Assess the nature of the business – and its goals.

2. Determine the local rules and regulations.

3. Confirm who is responsible for maintaining your system.

4. Ask who monitors your system. Unusual traffic or alerts of technical errors can be an indication of a cyberattack.

5. Be clear about who can access your video and computer network. Is the level of access appropriate to their needs? Does an operator have a level of access that is too high, or does someone who has left your organisation still have login credentials?

Speaking of access, you will also need to consider physical elements, such as who has access to a VMS server room. Alarms and access control measures can help prevent unauthorised individuals from accessing sensitive areas where your video data is located.

Consider the human element

One should consider your overall training programme, as the human factor can be a significant weakness in your cybersecurity, accounting for between 88 to 95% of data breaches, according to a joint study by Stanford University Professor, Jeff Hancock, and security firm, Tessian. Even something as simple as re-using a personal password to log into a VMS account, or falling for social engineering attacks (like an ‘urgent’ email from a manager requesting account details) can undermine every technical cybersecurity feature you implement.

Hence, regular training for your security team is important, as it can keep them updated on the latest threats and new ways to protect themselves and your system from harm. User control can also assist here, with admin and data access rights only given to those who require them. Assigning different VMS user credentials will (hopefully) prevent password sharing and allow you to remove a user’s access when they leave your company.

Foundational cybersecurity measures

Alongside this, there are some basic foundations that you can ensure you are following in order to make your video system less attractive to attackers. These include updating your cameras’ firmware and VMS device drivers to the newest versions.

Updates are typically made on an ongoing basis, so make sure your camera manufacturer issues regular security updates, including vulnerability patching and additional protections against new threats. Much

like how keeping your smartphone or laptop updated reduces the risk of a hack, staying up to date with your VMS and camera updates will make them less attractive to hackers.

Disabling your cameras’ built-in admin accounts or changing the default passwords is one of the first things to do when installing a new device. Then, you can ensure your cameras only support HTTPS (the secure version of HTTP).

To ensure the best protection, your chosen password should be a combination of lowercase and uppercase letters, special characters, and numbers. It should also not contain easily guessable words or phrases – using the word ‘password’ is an absolute no! Passwords also should not contain any information that identifies a user or that a hacker could gain from their public profiles and social media. As importantly, VMS accounts should not be shared by multiple users.

Keep your networks separate

Generally speaking, it is a good idea to keep your video network separate from your wider IT network. You can do this through VPNs (which is essential if you have people accessing your systems remotely, outside of your local network), and through VLANs that keep your video system partitioned and isolated from your other computer systems. If your cameras or VMS are compromised, for example, by someone accessing a device located on the street or by an operator unwittingly using a USB with malware on it, a hacker cannot use your video system to access more of your organisation’s data. It serves to limit the damage.

The importance of multi-layered security

A widescale breach in 2021 offers a hard lesson in what can potentially go wrong when you fail to secure your camera systems effectively. A cyberattack on a system provider in the USA exposed video recordings from

150 000 cameras, but also the sensitive financial information of high-profile customers. Hackers gained access to the provider’s systems using a username and password that was exposed in the public domain. This illustrates the importance of good password habits (regular password changes, using hard-to-guess passwords, and training people not to share their passwords with others).

Over 100 employees had ‘super admin’ privileges in the provider’s system, which gave access to footage from thousands of customer cameras, unknown to them. Setting the right access level for each user ensures that the risk and potential spread of a hack is limited. Put another way, the more admins you have, the more targets hackers can exploit.

Finally, alongside camera footage, hackers could also access sensitive financial and customer information through the breach. Separating your video network from your IT network limits how far a hacker can go if they do access your system. It prevents them from accessing your business’ financial and product data, operations, and other sensitive systems.

Cybersecurity is continuous

With all that said, every system will have vulnerabilities, and the cybersecurity space is constantly evolving. Being aware, in control, and responsible when using video will go a long way in protecting your organisation.

Share this article:

Further reading: