Physical security systems have experienced a substantial shift from being a mechanical circuit to become electronically-circuited networks, with the first network-enabled surveillance camera being launched more than 20 years ago (in 1996, to be precise). Now, more and more manufacturers are offering alarms and panels with cloud capabilities, meaning that end customers and installers can access and control security systems remotely via an app, affording a greater flexibility in line with current market expectations, writes Glenn Foot.
However, the connected tech on which commercial premises security depends – such as webcams, CCTV, DVRs, smart meters, alarms and routers – finds itself in the crosshairs of more cyber attacks year on year. In fact, and as reported by the World Economic Forum, the CUJO AI Threat Intelligence Database: Q4 2018 placed alarm systems second in its Top Ten of home automation devices subject to attack attempts. With 47% of security camera systems being targeted by hackers, they are the more vulnerable types of network-connected device.
According to a study conducted by Hiscox, more than half of UK firms have reported a cyber attack this year, while admitting they’re also underprepared for a breach. The gateway that hackers find into a business’ network could be literally any connected device, including the alarm panel. Not only can these breaches be financially damaging for organisations, but they can also be harmful from a brand reputation perspective.
This is a worrying trend. Another report, this time produced by Deloitte, found that by this year, four billion people are expected to be connected globally, generating 50 trillion gigabytes of data per year and giving bad actors greater opportunity to infiltrate firms and consumer devices.
Currently, many organisations are not setting a security framework in place to mitigate any potential cyber security risks, from phishing and hacking to ransomware attacks. A malicious actor only needs one weak link to access an entire network, be that via a cheap connected device in a remotely-connected employee’s home or an alarm panel, which is supposed to be protecting an organisation’s premises, but actually providing an easy way into the network.
Key developments to come
According to the report entitled ‘The State of Digitalisation in UK Business’, cloud, computing, mobility, unified communications, data exploitation and cyber security are the key developments to come for businesses. Due to an increase in connectivity and digitalisation, there has been a significant rise in high-profile hacking on home networks, for example. In order to prevent these hacking attacks, it’s important that physical security systems harbour robust cyber capabilities such that they don’t provide an opportunity for skilled intruders to steal personal data or disable security systems.
This is becoming more important. A recent study by Gartner revealed that 40% of smart home appliances globally are being used for botnet attacks. This figure is expected to rise to 75% by 2021. If multiple devices in people’s homes – both out and about, and on premise at their place of work – are all connected, either through a network-controlled, private or public Wi-Fi, then that’s a lot of access points. Undeniably, 2019 showed us that, as our reliance on digital technologies increases, so do the rewards and incentives to break into those technologies for malicious actors.
As businesses become increasingly digitally connected, it’s important that physical security systems have robust cyber capabilities so they don’t provide an opportunity for intruders to steal data or disable security systems.
Promoting industry cyber awareness
Organisations must proactively focus on implementing a security infrastructure to take into account changing needs and expectations, as well as changes to the specifications of network-connected devices, including alarm panels. This all feeds into the changing nature of the network.
As just one example of this, with more employees working away from the office, organisations need to be aware of the increased security risks that come with this shift. For example, what to do in the case of employees using unsecured Wi-Fi while working from a public space. The value of continual education and qualifications cannot be overstated here.
In some industries, including certain parts of the physical security sector, education around connected security standards is lacking. That includes for many industry experts (ie those installing physical security systems). The British Security Industry Association (BSIA) notes the importance of addressing the lack of understanding of the impact of the Internet of Things (IoT) in the security industry.
Given that IoT devices are experiencing an average of 5,200 attacks per month (according to a report from Symantec), it would seem that the BSIA is right to focus attention on this matter.
Ultimately, better device cyber security is required to ensure that it’s harder for bad actors to infiltrate software, otherwise physical security systems will begin to be seen as more of a risk than a benefit to organisations trying to protect their physical and digital assets.
In answer to this, the BSIA is investing heavily in promoting apprenticeships for the sector through its training arm, Skills for Security. It values education and qualifications, and notes the importance of addressing the lack of understanding of the impact of IoT in the security industry and to increase the awareness surrounding this.
On top of this, IP technology now plays an important role in the new Government Trailblazer apprenticeship scheme and technology training is offered proactively, showing that the awareness that this problem needs to be tackled proactively is growing.
Taking this one step further, the BSIA added the Cyber Security Product Assurance Group (CySPAG) to its portfolio in 2017, seeking to determine the needs of industry and consumers in order to develop Best Practice in this growing field. The CySPAG’s main thrust has been to develop an understanding of how Internet-connected security products and services impact our industry sector, as well as how we can minimise exposure to digital sabotage of network-connected equipment, namely the software and services used in electronic security systems.
These valuable initiatives should just be the start of a new level of cyber awareness for the industry. There’s substantial evidence that the CySPAG has already exerted an important impact on cyber awareness. It’s currently working on its next project and developing an industry Code of Practice for installers of Internet connected security systems, providing a basis for a certification scheme in this field. As the CySPAG states: ‘The assurance these new guidelines give throughout the supply chain should instil end user confidence in connected security solutions.’
Impact on the security business sector
Ultimately, it’s crucial that the whole industry, from facilities and premises managers through to installers, and from employees to IT Departments, develop an understanding of how Internet-connected products and services impact the entire industry sector. This will allow the sector to minimise the exposure to digital sabotage of network-connected equipment, software and services.
With bad actors becoming more complex and in search of new ways to infiltrate devices and enterprises for their own gains, it’s up to industry specialists and bodies to better educate and protect customers. Only then will end users and enterprises have the confidence to invest more in the right security systems.
While the BSIA’s leading the way in supporting members and upholding industry standards, only 70% of the industry is represented, in turn affording room for improvement. Only when the entire industry is protected will we feel like our work is done.
Glenn Foot is Product Manager at Eaton Security and Chairman of the British Security Industry Association’s Cyber Security Product Assurance Group