What are the cybersecurity issues in video surveillance?

Steven Kenny

Cybersecurity should be an ongoing concern for consumers and companies in every sector, within their own organizations, amongst their stakeholders and throughout supply chains. The video surveillance industry is no exception. Far from the days of CCTV cameras, which held little to no information and were not connected to a network, the advances in digital video mean that connected IP cameras and associated devices on the network are at risk of being hacked. The importance of the data captured by video surveillance cameras – and what can be done with it – has led to a new breed of cyber criminals, looking for insights to steal and sell.

However, even if cybersecurity is recognized as a serious risk, only a handful (15%) of organizations feel adequately prepared to mitigate a cyber threat as a survey conducted by Axis and Genetec found. Many (59% of end customers) blame their vulnerabilities on legacy systems as they see them as a hurdle to address IoT threats, but the reality is that no device – old or new – is 100% immune to hacks; at some point, you must open a door to let someone in or out of your system, it’s inevitable.

Protecting your network and the data you hold on your customers doesn’t require you to install encryption on every device. On the contrary, the first steps are also the most efficient and simple: getting to grips with understanding the Internet of Things (IoT) identifying the vulnerabilities of your system and implementing the best practices to keep them safe.

In this post, you’ll find information about:
  • Potential cyber vulnerabilities in security systems
  • Best practices: Cybersecurity of surveillance devices
  • GDPR and data privacy for security systems
  • Cybersecurity needs in different industry sectors

What are the potential cyber vulnerabilities in security systems?

Businesses invest vast sums to deploy physical security technology. However, too often physical security systems, such as cameras can be a back door into IT networks, making them a prime security risk to a business. Proactively implementing the latest cyber defenses remains the best practice in ensuring the highest level of cybersecurity.

There are many factors that can contribute in making a network vulnerable, many of which are linked to poor “cyber hygiene” of the network. Sometimes, it’s a lack of alignment between your IT and security teams. Failing to put in place and follow IT security policies can also lead to dire consequences; it’s not a coincidence that so many cyber breaches are due to human error and lapses in protocol and what is often referred to as “deliberate or accidental misuse of the system”. Similarly, systems that are not well maintained, updated and cared for also suffer from dramatically increased susceptibility from cyberattacks. It’s a common misconception that it’s more important to protect businesses from high profile threats, when it’s instead key to get the basics right.

New cyber vulnerabilities are discovered frequently, but whether they pose a critical risk depends on two factors: First is the probability that a vulnerability can be easily exploited, second is the impact that its exploitation could have on the rest of the system. Look out for weak passwords, legacy systems and untrained personnel. Depending on the potential impact a vulnerability could have it can be qualified whether addressing the vulnerability should be prioritized. Finally, consider that the higher the number of devices in your system, the higher the chance of vulnerabilities.

With new technology also emerge new vulnerabilities for sophisticated cyberattacks, one example being artificial intelligence (AI). Using AI has allowed bad actors to look more like a legitimate user of the network, whether human or a device. By learning the network behaviors, cybercriminals can develop new malware and phishing strategies to compel users in the network to open the virtual door for them.

The same technologies are, of course, available for the ones protecting the network. Given the ability to see behavior across the entire network, including every device and user, organizations can employ AI to detect anomalies that give warning of attempted breach.

Best practices for the cybersecurity of surveillance devices

Maintaining cyber security across all devices can be difficult. Businesses should approach cybersecurity in two steps. The first is awareness; if you are not aware of potential cyber vulnerabilities, threats and issues you cannot do anything to prevent them. Security vendors can support this by communicating important information about known vulnerabilities to customers and partners as soon as they discover them. Step two is mitigation; once you’ve identified a potential problem, you need to take the necessary steps to patch it before it turns into a serious threat.

Device lifecycle management is particularly crucial. Proactive maintenance is the best way to ensure a more stable and secure system, that’s why you should always install updates when your manufacturer releases them. Securing a whole network, including all devices and the services it supports, relies also on an active support from vendor supply chains and end-user organizations. They can, for instance, inform themselves about the different security controls that are available for various devices and services etc.

Finally, governments are introducing schemes that list the requirements a system needs to satisfy in order to be recognized as effectively secure; following these guidelines also helps support businesses to be compliant with legislations like GDPR.

GDPR and data privacy for security systems

What happens when you don’t take all the necessary steps, and leave your data exposed to an attack? Well, under GDPR rules you can be fined up to 4% of annual global turnover or €20 million, whichever is the highest.

Yes, GDPR applies also to the data captured by your security surveillance. Under the regulation, any security network administrator should take all appropriate measures to provide the monitored persons with information in a brief, transparent, comprehensible and easily accessible manner concerning the processing of their data by the camera system. This means customers in a shop, for example, have the right to know if they are watched and the details of the recording.

On one hand, this may seem just another headache to business owners, but actually regulations like GDPR – and others such as the NIS Directive – have been very beneficial to cybersecurity, by increasing awareness around the importance of data protection both with organizations and end users.

From a vendor perspective, this means that for developing new software products it’s key to ensure they are compliant with legislations across different markets and regions – from GDPR in Europe to CCPA or NDAA in the US and many more.

Cybersecurity needs in different sectors

The suggestions above are generally valid for every sector that is using video surveillance cameras, although with some differences in the approach. In finance, for example, the damage of a cyberattack to an institution’s reputation as a safe place can, over time, be more costly than any immediate loss. On the other hand, oil and gas infrastructures face more maintenance challenges, because of the remote locations of their facilities.

Data centers need to have very tight access policies in place, while smart cities need to rely on shared responsibility that involves both public services such as the police or firefighters, as well as private ones like small businesses.

If you want to read more about cybersecurity, check out this post about how to defend against cyberattacks in a disrupted world:

Defending against cyberattacks