Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Physical Security

6/9/2021
12:00 PM
IFSEC Global
IFSEC Global
Commentary
50%
50%

Hardening the Physical Security Supply Chain to Mitigate the Cyber-Risk

Nick Smith, Regional Manager at Genetec, details how physical security professionals can improve their resilience to cyberattacks by reviewing the cybersecurity policies of those they work with in the supply chain. This includes everyone from component vendors to installers and engineers.

Cyberattacks have become a significant business risk for organizations of all sizes. The US National Cyber Security Alliance found that more than 60% of cyberattacks target small to medium and small businesses. Its research also showed that 60% of those small companies were unable to sustain business operations six months following attack.

Cyberattacks, however, do not always come through the front door. Organizations depend on third-party vendors and service providers, who are critical suppliers of security components or providers of services such as accounting. And many cyberattacks come through these backdoors.

With up to 80% of cyberattacks now beginning in the supply chain, breaches at even the smallest of vendors can have big consequences for enterprise level operations. Every organization across the global physical security supply chain, therefore, must become more aware and interconnected to mitigate against cyber risk. At best, a breach is likely to leave you with a hefty fine and a tarnished reputation which you may never fully be able to repair.

The Initial Step to Mitigate Risk
A recent report by Genetec found that 67% of physical security professionals, including Genetec's end users, integrators, and partners, are planning to prioritize their cybersecurity strategy in 2021. With the UK witnessing a 31% increase in cybercrime since the start of the pandemic, many physical security professionals are recognizing that cyberattacks are real and that physical security systems are an ideal entry point for hackers.

IP security cameras and other security devices are by their very nature connected to the internet. It's what lets users access them remotely to check in on their business, and what lets manufacturers update device software without having to make a house call. But this feature can also be their Achilles' heel. When not secured properly, any camera or access control device in the so-called Internet of Things (IoT) can be accessed remotely by just about anyone, not just those with whom you want to share access.

One way to limit your organization's cyber vulnerabilities is to take a closer look at your supply chain and build a network of trusted vendors. Effective supply chain risk management (SCRM) is essential here for ensuring the continuity and profitability of your business. However, the same principle should also apply to the vendors that provide the various components of your physical security system, and even those that install or service your equipment.

You can begin by asking vendors and other third-party service providers about their cybersecurity and privacy policies and practices. A company that is serious about cybersecurity will conduct its own penetration testing and catch any vulnerabilities that could have been missed during product development. They will also be proactive when vulnerabilities are uncovered and quickly deploy the latest firmware and security updates to keep systems secure.

Moreover, when working with a systems integrator to develop or maintain a physical security solution, it is important to share your concerns about cybersecurity at the onset. A systems integrator must consider cybersecurity a top priority and should only recommend products from trusted manufacturers who are also committed to protecting your system on a regular basis.

Operate in a Framework of Best Practice
The cyberattacks against IoT devices are increasingly affecting enterprises yet could easily be prevented. For example, ensuring cameras are running on the latest version of the firmware and that security updates are regularly applied is a rudimentary aspect of good cyber hygiene. Yet, Genetec's own data reveals 68% of cameras trying to connect to its systems are running out of date firmware. And 54% of these involve known vulnerabilities, mean they could easily be compromised by a cybercriminal with malicious intent.

That is why everyone must play a role in protecting physical security systems from cyberattacks. Be sure to choose trusted vendors who use smart tactics such as penetration testing. And only work with systems integrators who are committed to providing continuous protection against cyberthreats. The success of your business may depend on it.

Nick Smith is Regional Manager at Genetec.

This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more.

IFSEC Global, part of the Informa Network, is a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies – like video surveillance, access control, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Visit the Web's Most Authoritative Resource on Physical Security

To get the latest news and analysis on threats, vulnerabilities, and best practices for enterprise physical security, please visit IFSEC Global. IFSEC Global offers expert insight on critical issues and challenges in physical security, and hosts one of the world's most widely-attended conferences for physical security professionals.

Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31834
PUBLISHED: 2021-10-22
Stored Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 11 allows ePO administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized.
CVE-2021-31835
PUBLISHED: 2021-10-22
Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 11 allows ePO administrators to inject arbitrary web script or HTML via a specific parameter where the administrator's entries were not correctly sanitized.
CVE-2021-34362
PUBLISHED: 2021-10-22
A command injection vulnerability has been reported to affect QNAP device running Media Streaming add-on. If exploited, this vulnerability allow remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of Media Streaming add-on: QTS 5.0.0: Media ...
CVE-2021-41127
PUBLISHED: 2021-10-21
Rasa is an open source machine learning framework to automate text-and voice-based conversations. In affected versions a vulnerability exists in the functionality that loads a trained model `tar.gz` file which allows a malicious actor to craft a `model.tar.gz` file which can overwrite or replace bot...
CVE-2021-41169
PUBLISHED: 2021-10-21
Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade.