Loss prevention professionals talk a lot about cyber security risks these days. But it’s for a good reason: more and more retail security devices (surveillance cameras, access-control systems) are now highly connected as part of the vast network of Internet of Things. They’re designed to circumvent security vulnerabilities, not introduce them.
Garett Seivold, contributing writer, explores the idea that security systems themselves may not be technically secure in a feature article in the September—October 2017 issue of LP Magazine.
Don’t become another data breach statistic. Get our FREE Special Report, Data Security: Data Loss Prevention Best Practices and Proven Policies to Combat Data Breaches right now!
It turns out that vendors, integrators, and end users are all responsible for following data security best practices when it comes to system security. From the article:
LP executives must ensure that connected security devices do not provide hackers a new way to enter the company network. “You can’t allow your security solution to become a threat vector,” warned Gavin Bortles, president of Kepler Networks, a network engineering services provider. David Tyburski, chief information security officer for Wynn Resorts, echoed that view. “We can’t be injecting risk—we are supposed to be about reducing risk,” he said.
As for why it does happen, why at any given time you can monitor nearly a million private security cameras online, or why a recent multimillion-dollar security install at a massive theme park had IP addresses written right on the security cameras, there is blame to go around.
It’s wrong to assume just because they are security systems that manufacturers have made them secure, according to a study by the Government Accountability Office (GAO) on vulnerabilities in federal facilities. It noted, “Cyber security experts that we interviewed generally said that building and access-control systems are vulnerable to cyber attacks. One expert, for example, noted that control systems were not designed with cyber security in mind.” The US government has said connected devices pose “substantial safety and economic risks” and has called for immediate action to improve the security of Internet of Things (IoT) devices—but has proposed no specific penalties for manufacturers that fail to comply.
LP pros need to be responsible for the management of security devices, not just selection and implementation. That includes assessing cyber risks and adhering to data security best practices to counter potential vulnerabilities. Check out “Security’s Security” to learn how to address risks and improve operational efficiency of devices and systems.
This post was originally published in 2017 and was updated October 18, 2017.