Building a Strong Cybersecurity Foundation for Your Video Solutions

In today’s digital world, it’s little surprise that cybersecurity is top of mind in many boardrooms. Indeed, 96% of CEOs say that it’s essential to their organisation’s growth and stability, according to Accenture.

And they are right to be concerned, because cybercrime is projected to cost the world a staggering $9.5 trillion USD in 2024 according to research firm, Cybersecurity Ventures. Such losses can be business-ending, without even considering the cost of reputational damage and unscheduled downtime.

By Jos Beernink, Vice President EMEA at Milestone Systems

The cyber-risks of video

Being aware of the risks of an insecure video surveillance system – and how to mitigate these – is therefore a critical skill for all security leaders. Cameras, connected sensors, and video management software (VMS) can present attractive targets for malicious actors, thanks to the data collected by them. This data can be used for blackmail or to gather confidential information. Hackers can sell footage of your building layout and staffing levels at different times of the day to criminals, for example.

IP cameras can also be used as gateway devices for larger attacks, including global distributed denial of service (DDoS) attacks that use connected cameras and other devices to send a flood of traffic to targeted websites and other infrastructure.

When it comes to protecting businesses, no two systems will be the same. The protections for a school will be very different to that of a data centre or solar farm. The first step in protecting your organisation and its surveillance systems, therefore, is understanding what needs to be protected, how, and from whom. Plus the potential damage that can occur when (not if) an attack happens.

The NIS2 Directive

Protecting your camera and video systems is about to become even more important due to the incoming NIS2 Directive, a Europe-wide legislation that aims to boost the overall level of cybersecurity in network and information systems. Any surveillance installation that falls within targeted “essential” industries will be impacted by this (these include the energy sector, transport, banking, public administration, and digital infrastructures).

Under NIS2, users are required not only to assess their own systems, but also conduct a comprehensive risk assessment to ensure their entire supply chain is compliant. In today’s interconnected systems, achieving compliance across the supply chain can be challenging.

By way of an example, the Log4j vulnerability recently affected millions of computers across the world, and highlights the direct impact on systems utilising this open-source logging library as a small part of their software suite. It’s notable that a few software manufacturers, including Milestone Systems, which prioritize secure design and avoid any use of open source, remained unaffected.

The NIS2 Directive recognises that physical security threats pose a significant risk to organisations with digital operations. Installing cameras and other systems to control access to digital assets like server rooms and data centres is vital. Such organisations will need to take active, ongoing, steps to ensure their video network’s security is as robust as possible.

The importance of physical security

One unique aspect of video networks is how many devices are located in public, potentially vulnerable, areas. Most organisations need to install cameras to monitor busy areas, entrances and exits to restricted areas, or remote parts of a site. This can have the effect of putting cameras at higher risk; making it easier for attackers to gain access and disconnect devices. This means that multi-layered security to keep devices safe and separate from the wider IT network is essential. It also means that without adequate protection, a video surveillance system can be less secure than a classical IT system. That’s worth bearing in mind when addressing your video and IT network cybersecurity as a whole.

Everyone’s responsibility

The NIS2 Directive emphasises that IT and security work together to build a robust cybersecurity strategy. Your IT team will need to be closely involved when implementing your video cybersecurity strategy. They will work with you on some of the foundational elements of protecting your VMS and connected devices, because of their experience in areas like virtual private network (VPNs) and virtual local area networks (VLANs).

Knowing who takes care of what, can help you to assign accountability for things like upgrades, auditing, and penetration testing. Sometimes an external party, like a manufacturer or installer, is responsible for some aspects of your cybersecurity. Therefore, when starting your cybersecurity strategy, you’ll need to check:

1. Assess the nature of the business – and its goals.
2. Determine the local rules and regulations.
3. Confirm who is responsible for maintaining your system.
4. Ask who monitors your system. Unusual traffic or alerts of technical errors can be an indication of a cyber-attack.
5. Be clear about who has access to your video and computer network. Is the level of access appropriate to their needs? Does an operator have too high a level of access, or does someone who has left your organisation still have login credentials?

Speaking of access, you’ll also need to consider physical elements like who has access to a VMS server room. Alarms and access control measures can help to prevent unauthorised individuals from getting into sensitive areas where your video data is located.

Consider the human element

It’s worth considering your overall training program, as the human factor can be a significant weakness in your cybersecurity — accounting for between 88 to 95% of data breaches, according to a joint study by Stanford University Professor Jeff Hancock and security firm Tessian. Even something as simple as re-using a personal password to log into a VMS account, or falling for social engineering attacks (like an ‘urgent’ email from a manager requesting account details) can undermine every technical cybersecurity feature you implement.

Hence why regular training for your security team is important, as it can keep them updated on the latest threats and new ways to protect themselves and your system from harm. User control can also assist here, with admin and data access rights only given to those who require it. Assigning different VMS user credentials will (hopefully) prevent password sharing and allows you to remove a user’s access when they leave your company.

Foundational cybersecurity measures

Alongside this, there are some basic foundations that you can ensure you’re following to make your video system less attractive to attackers. These include updating your cameras’ firmware and VMS device drivers to the newest versions. Updates are typically made on an ongoing basis, so make sure your camera manufacturer issues regular security updates that include vulnerability patching and additional protections against new threats. Much like how keeping your smartphone or laptop updated reduces the risk of a hack, staying up to date with your VMS and camera updates will make them less attractive to hackers.

Disabling your cameras’ built-in admin account, or changing the default password is one of the first things to do when installing a new device. Then you can ensure your cameras are only supporting HTTPS (the secure version of HTTP).

To ensure the best protection, your chosen password should be a combination of lowercase and uppercase letters as well as special characters and numbers. They should contain no easily guessable words or phrases – using the word ‘password’ is an absolute no! Passwords also shouldn’t contain any information that identifies a user, or that a hacker could gain off of their public profiles and social media. As importantly, VMS accounts shouldn’t be shared by multiple users.

Keep your networks separate

Generally speaking, it’s a good idea to keep your video network separate from your wider IT network. You can do this through VPNs (which is essential if you have people accessing your systems remotely, outside of your local network), and through VLANs that keep your video system partitioned and isolated from your other computer systems. If your cameras or VMS are compromised, for example by someone accessing a device located on the street or from an operator unwittingly using a USB with malware on it, a hacker cannot use your video system to access more of your organisation’s data. It serves to limit the damage.

The importance of multi-layered security

A widescale breach in 2021 offers a hard lesson in what can potentially go wrong when you fail to secure your camera systems effectively. A cyber-attack on a system provider in the USA exposed video recordings from 150,000 cameras, but also the sensitive financial information of high-profile customers. Hackers gained access to the provider’s systems using a username and password that was exposed in the public domain. This illustrates the importance of good password habits (regular password changes, using hard-to-guess passwords, and training people not to share their passwords with others).

Over 100 employees had ‘super admin’ privileges in the provider’s system, which gave access to footage from thousands of customer cameras, unknown to them. Setting the right access level for each user, ensures that the risk and potential spread of a hack is limited. Put another way, the more admins you have, the more targets there are for hackers to exploit.

Finally, alongside camera footage, hackers could also access sensitive financial and customer information through the breach. Separating your video network from your IT network limits how far a hacker can go if they do access your system. It prevents them from accessing your business’ financial and product data, operations, and other sensitive systems.

Cybersecurity is continuous

With all that said, every system will have vulnerability and the cybersecurity space is constantly evolving. Being aware, in control, and responsible when using video will go a long way in protecting your organisation.

To help you on your journey towards a cybersecure video network, Milestone Systems is hosting a series of cybersecurity webinars. Whether you are starting out on cybersecurity or are looking at building on existing cyber measures, these webinars and events will help you build resilience in your video system. More details of these webinars, including the first webinar on the foundational elements of a video cybersecurity strategy, can be found here: t.ly/nuvno.

Learn what Milestone can do for your organization. Our video management software (VMS) can be customized to meet your every need. From keeping people and property safe to operating businesses more efficiently. We invite you to experience the power and functionality of Milestone’s VMS software through the exclusive Demo Trail, providing a hands-on experience with our state-of-the-art video management solutions.

About Milestone Systems

Milestone Systems is a leading provider of data-driven video technology software in and beyond security that helps the world see how to ensure safety, protect assets, and increase business efficiency. Milestone enables an open platform community that drives collaboration and innovation in the development and use of network video technology, with reliable and scalable solutions that are proven in more than 500,000 customer sites worldwide. Founded in 1998, Milestone is a stand-alone company in the Canon Group. For more information visit: www.milestonesys.com. For news and other press releases, visit our Newsroom.