A strong cybersecurity foundation

SMART Surveillance 2024 Information Security

In today’s digital world, it is not surprising to see cybersecurity top of mind in many boardrooms. Indeed, 96% of CEOs say that it is essential to their organisation’s growth and stability, according to Accenture.

They are right to be concerned because, according to research firm Cybersecurity Ventures, cybercrime is projected to cost the world a staggering $9,5 trillion USD in 2024. Such losses can be business-ending, without even considering the cost of reputational damage and unscheduled downtime.

The cyber-risks of video

Therefore, being aware of the risks of an insecure video surveillance system and how to mitigate these are critical skills for all security leaders. A VMS can present attractive targets for malicious actors thanks to the data collected by cameras, connected sensors, and video management software (VMS). This data can be used for blackmail or to gather confidential information. Hackers can sell footage of your building layout and staffing levels at different times of the day to criminals, for example.

IP cameras can also be used as gateway devices for larger attacks, including global distributed denial of service (DDoS) attacks that use connected cameras and other devices to send a flood of traffic to targeted websites and other infrastructure.

When it comes to protecting businesses, no two systems will be the same. The protections for a school will be very different from those of a data centre or a mine. Therefore, the first step in protecting your organisation and its surveillance systems is understanding what needs to be protected, how, and from whom, as well as the potential damage that can occur when (not if) an attack happens.

The importance of physical security

One unique aspect of video networks is how many devices are located in public, potentially vulnerable, areas. Most organisations need to install cameras to monitor busy areas, entrances, exits, and restricted areas or remote parts of a site. This can put cameras at higher risk, making it easier for attackers to gain access and disconnect devices. This means that multi-layered security to keep devices safe and separate from the wider IT network is essential. It also means that without adequate protection, a video surveillance system can be less secure than a classical IT system. That is worth bearing in mind when addressing your video and IT network cybersecurity as a whole.

Everyone’s responsibility

Cybersecurity is a shared responsibility, and IT and security must work together to build a robust cybersecurity strategy. Your IT team will need to be closely involved when implementing your video cybersecurity strategy. Because of their experience in areas like virtual private networks (VPNs) and virtual local area networks (VLANs), they will work with you on some of the foundational elements of protecting your VMS and connected devices.

Knowing who takes care of what can help you to assign accountability for things like upgrades, auditing, and penetration testing. Sometimes an external party, like a manufacturer or installer, is responsible for some aspects of your cybersecurity. Therefore, when starting your cybersecurity strategy, you will need to check:

1. Assess the nature of the business – and its goals.

2. Determine the local rules and regulations.

3. Confirm who is responsible for maintaining your system.

4. Ask who monitors your system. Unusual traffic or alerts of technical errors can be an indication of a cyberattack.

5. Be clear about who can access your video and computer network. Is the level of access appropriate to their needs? Does an operator have a level of access that is too high, or does someone who has left your organisation still have login credentials?

Speaking of access, you will also need to consider physical elements, such as who has access to a VMS server room. Alarms and access control measures can help prevent unauthorised individuals from accessing sensitive areas where your video data is located.

Consider the human element

One should consider your overall training programme, as the human factor can be a significant weakness in your cybersecurity, accounting for between 88 to 95% of data breaches, according to a joint study by Stanford University Professor, Jeff Hancock, and security firm, Tessian. Even something as simple as re-using a personal password to log into a VMS account, or falling for social engineering attacks (like an ‘urgent’ email from a manager requesting account details) can undermine every technical cybersecurity feature you implement.

Hence, regular training for your security team is important, as it can keep them updated on the latest threats and new ways to protect themselves and your system from harm. User control can also assist here, with admin and data access rights only given to those who require them. Assigning different VMS user credentials will (hopefully) prevent password sharing and allow you to remove a user’s access when they leave your company.

Foundational cybersecurity measures

Alongside this, there are some basic foundations that you can ensure you are following in order to make your video system less attractive to attackers. These include updating your cameras’ firmware and VMS device drivers to the newest versions.

Updates are typically made on an ongoing basis, so make sure your camera manufacturer issues regular security updates, including vulnerability patching and additional protections against new threats. Much

like how keeping your smartphone or laptop updated reduces the risk of a hack, staying up to date with your VMS and camera updates will make them less attractive to hackers.

Disabling your cameras’ built-in admin accounts or changing the default passwords is one of the first things to do when installing a new device. Then, you can ensure your cameras only support HTTPS (the secure version of HTTP).

To ensure the best protection, your chosen password should be a combination of lowercase and uppercase letters, special characters, and numbers. It should also not contain easily guessable words or phrases – using the word ‘password’ is an absolute no! Passwords also should not contain any information that identifies a user or that a hacker could gain from their public profiles and social media. As importantly, VMS accounts should not be shared by multiple users.

Keep your networks separate

Generally speaking, it is a good idea to keep your video network separate from your wider IT network. You can do this through VPNs (which is essential if you have people accessing your systems remotely, outside of your local network), and through VLANs that keep your video system partitioned and isolated from your other computer systems. If your cameras or VMS are compromised, for example, by someone accessing a device located on the street or by an operator unwittingly using a USB with malware on it, a hacker cannot use your video system to access more of your organisation’s data. It serves to limit the damage.

The importance of multi-layered security

A widescale breach in 2021 offers a hard lesson in what can potentially go wrong when you fail to secure your camera systems effectively. A cyberattack on a system provider in the USA exposed video recordings from

150 000 cameras, but also the sensitive financial information of high-profile customers. Hackers gained access to the provider’s systems using a username and password that was exposed in the public domain. This illustrates the importance of good password habits (regular password changes, using hard-to-guess passwords, and training people not to share their passwords with others).

Over 100 employees had ‘super admin’ privileges in the provider’s system, which gave access to footage from thousands of customer cameras, unknown to them. Setting the right access level for each user ensures that the risk and potential spread of a hack is limited. Put another way, the more admins you have, the more targets hackers can exploit.

Finally, alongside camera footage, hackers could also access sensitive financial and customer information through the breach. Separating your video network from your IT network limits how far a hacker can go if they do access your system. It prevents them from accessing your business’ financial and product data, operations, and other sensitive systems.

Cybersecurity is continuous

With all that said, every system will have vulnerabilities, and the cybersecurity space is constantly evolving. Being aware, in control, and responsible when using video will go a long way in protecting your organisation.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

New ransomware using BitLocker to encrypt data
Technews Publishing Information Security Residential Estate (Industry)
Kaspersky has identified ransomware attacks using Microsoft’s BitLocker to attempt encryption of corporate files. It can detect specific Windows versions and enable BitLocker according to those versions.

Create order from chaos
Information Security
The task of managing and interpreting vast amounts of data is akin to finding a needle in a haystack. Cyberthreats are growing in complexity and frequency, demanding sophisticated solutions that not only detect, but also prevent, malicious activities effectively.

Trend Micro launches first security solutions for consumer AI PCs
Information Security News & Events
Trend Micro unveiled its first consumer security solutions tailored to safeguard against emerging threats in the era of AI PCs. Trend will bring these advanced capabilities to consumers in late 2024.

Kaspersky finds 24 vulnerabilities in biometric access systems
Technews Publishing Information Security
Customers urged to update firmware. Kaspersky has identified numerous flaws in the hybrid biometric terminal produced by international manufacturer ZKTeco, allowing a nefarious actor to bypass the verification process and gain unauthorised access.

Responsible AI boosts software security
Information Security
While the prevalence of high-severity security flaws in applications has dropped slightly in recent years, the risks posed by software vulnerabilities remain high, and remediating these vulnerabilities could hinder new application development.

AI and ransomware: cutting through the hype
AI & Data Analytics Information Security
It might be the great paradox of 2024: artificial intelligence (AI). Everyone is bored of hearing it, but we cannot stop talking about it. It is not going away, so we had better get used to it.

NEC XON shares lessons learned from ransomware attacks
NEC XON Editor's Choice Information Security
NEC XON has handled many ransomware attacks. We've distilled key insights and listed them in this article to better equip companies and individuals for scenarios like this, which many will say are an inevitable reality in today’s environment.

iOCO collaboration protection secures Office 365
Information Security Infrastructure
The cloud, in general, and Office 365, in particular, have played a significant role in enabling collaboration, but it has also created a security headache as organisations store valuable information on the platform.

Cybercriminals embracing AI
Information Security Security Services & Risk Management
Organisations of all sizes are exploring how artificial intelligence (AI) and generative AI, in particular, can benefit their businesses. While they are still figuring out how best to use AI, cybercriminals have fully embraced it.

Surveillance and cybersecurity
Cathexis Technologies Information Security
Whether your business runs a security system with a handful of cameras or it is an enterprise company with thousands of cameras monitoring sites across a multinational organisation, you must pay attention to cybersecurity.