Preventing physical security devices becoming a cyber-security headache

Opinion by Nigel Peers

Why GDPR may hold the key to ensuring the cyber-security of CCTV and access control technology.

Physical security devices, such as those used in CCTV and access control systems, are commonly used by businesses across the world. From safeguarding staff and students within schools and colleges, to ensuring the safety of the public at large visitor attractions, these devices are responsible for securing our perimeters and ensuring only authorised personnel are able to access certain areas of a facility.

As the capabilities of these technologies have progressed so quickly, we have been able to achieve so much more than we ever have done before. Connecting them to an IT network has meant they have evolved into devices that can collect and share vast amounts of data which can be used for security purposes, such as loitering detection and suicide prevention on railways; and for business intelligence, such as queue monitoring and managing staff more efficiently.

But has the cyber-security of these devices kept pace with this rapid progress? As we all know by now, connecting technologies to the internet can have severe consequences if not done correctly. Cyber-criminals have discovered they can utilise flaws in such technologies to gain access to a business's data and its ‘cyber' network. If companies aren't doing enough to protect this data, they may now be held accountable under new data protection laws, such as the General Data Protection Regulation (GDPR).

What has the GDPR got to do with you?

That's the question that has been asked in boardrooms across the UK over the last 18 months with increasing intensity. The answer is a lot - if your business is holding Personally Identifiable Information (PII), as the majority do. Whether that be the information that CCTV and access control systems generate and store, or if these devices act as an entry point to an IT network, ensuring personal data is protected has become a C-suite conversation for firms throughout Europe.

If a business hasn't begun preparations, or is unsure how the regulation may impact its operations, now is the time to start reviewing its data protection processes. Failure to comply with the new regulations could result in large fines, up to €20 million, or four percent of a company's annual turnover, whichever is greater. The reputational damage of non-compliance could also be catastrophic.

What you need to know

One crucial element to the incoming GDPR is the issue of accountability. While under the original Data Protection Act (DPA) the responsibility for a breach sat primarily with the controller, under the new legislation this now sits with the controllers and processors. Firms must therefore begin looking beyond their four walls to ensure complete protection.

For example, imagine a scenario where a criminal gains access to an organisation's network via a vulnerability introduced by surveillance equipment; this weakness is exacerbated when the end user decides to enable remote access to their video. Beyond the attacker, whose responsibility is the breach? Would it be the manufacturer of the surveillance equipment, the installer or the end-user's IT department? Ultimately, all parties share responsibility and have something to lose, including reputational damage. 

That said, the heavy fines set to be imposed by the impending GDPR would fall at the feet of the end user. And that is why education on the matter is so important, not only regarding the ramifications of a breach, but also how to ensure an organisation can sufficiently protect itself in this increasingly complex security landscape. The hack that led to 110 million customers of discount retailer Target having its financial data stolen occurred following a spear-phishing attack which granted attackers access to an internet-connected heating/ventilation system. This spear-phishing attack, which involved an email riddled with malicious code sent to a member of staff, could have been prevented if workers had been given the necessary training on how to identify suspicious emails.

Contributed by Nigel Peers, senior consultant, NW Security Group. 

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews