Today, our physical security devices are increasingly connected and integrated into broader systems for ease of monitoring, deployment of analytics, and cross-functional automation. As a result, our physical security devices are also at increased exposure to cyber-attacks.
With a larger percentage of the workforce working remotely, hackers have become increasingly more sophisticated. They may start with hardware, such as wireless components or system controllers, which provide access to specific computers. Then they use those computers to gain access to an organization’s external and internal Internets.
Cybersecurity is critical for organizations in protecting their proprietary information, and failing to implement strong cybersecurity may also put them at risk of a lawsuit from the Federal Trade Commission (FTC). The FTC has filed lawsuits against companies for violating Section 5: Unfair or Deceptive Acts or Practices, of the Federal Trade Commission Act. An unfair or deceptive act is one that:
- Causes or is likely to cause substantial injury to consumers.
- Cannot be reasonably avoided by consumers.
- Is not outweighed by countervailing benefits to consumers or to competition.
Past charges have included using inadequate safeguards on wireless routers and IP cameras that left the organization vulnerable to hackers and failed to protect consumers’ privacy and security.
Any organization can be impacted by cyber-attacks on physical security devices without good virtual security and it could be devasting. In the case of hacking of access control, losing control of building doors could lead to loss of sensitive information, intellectual property, physical property, and could potentially encourage acts of extreme violence leading to injury or loss of life. More specifically, unauthorized access to video cameras might lead to loss of proprietary data, which could cause damage to business operations or lead to an information data breach that impacts thousands of customers.
Budgets and timelines for securing an organization’s physical devices against virtual attacks vary based on the situation but can be planned as part of the annual budget so that there are few surprises. If this is the first time device cybersecurity is being addressed at an organization, timelines may be longer and there may be a need to request capital or emergency funding for additional hardware, software, and contract support for the implementation. However, once protection is put in place, the ongoing planned maintenance and updates can substantially reduce the risk of a successful cyber-attack and limit the potential damage.
We will continue to see cybersecurity as a significant issue. Innovation such as AI devices that monitor the security of IT-connected devices will aid in the ongoing cybersecurity arms race. In the meantime, to mitigate the risk of cyber-attacks at your organization, consider protecting your physical devices by:
- Scheduling regular maintenance and updates for your security systems that are followed religiously.
- Planning for system updates and budget accordingly.
- Ensuring physical security devices are not connected directly to the internet. They should be connected to another physical appliance such as an NVR which is connected to the internet but provides another layer of protection between the internet and the device.
- Resetting all device user codes at installation with a unique and secured username and password (ensure they are no longer set to the installer default user code).
- Administering access control credentials properly, including correct access levels and badges returned or canceled upon separation.
- Ensuring user credentials are properly administered, including correct access levels, regular password updates for all users, and canceling user accounts upon separation.
- Isolating any new system from the internet if possible; if not possible, ensure all devices are protected behind security. Include the IT department in the early planning stages of the project to ensure cybersecurity concerns have been raised and addressed.
While budget may be a concern in keeping up system cybersecurity, the risk of losing control of your systems potentially outweighs the cost of these security measures. It is very much like purchasing insurance; it is far better to have it and not need it than to need it and not have it. If you have further questions about addressing cybersecurity issues or have a success story of preventing cyber-attacks to share, contact our team at firstname.lastname@example.org.