Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Physical Security

// // //

Hardening the Physical Security Supply Chain to Mitigate the Cyber-Risk

Nick Smith, Regional Manager at Genetec, details how physical security professionals can improve their resilience to cyberattacks by reviewing the cybersecurity policies of those they work with in the supply chain. This includes everyone from component vendors to installers and engineers.

Cyberattacks have become a significant business risk for organizations of all sizes. The US National Cyber Security Alliance found that more than 60% of cyberattacks target small to medium and small businesses. Its research also showed that 60% of those small companies were unable to sustain business operations six months following attack.

Cyberattacks, however, do not always come through the front door. Organizations depend on third-party vendors and service providers, who are critical suppliers of security components or providers of services such as accounting. And many cyberattacks come through these backdoors.

With up to 80% of cyberattacks now beginning in the supply chain, breaches at even the smallest of vendors can have big consequences for enterprise level operations. Every organization across the global physical security supply chain, therefore, must become more aware and interconnected to mitigate against cyber risk. At best, a breach is likely to leave you with a hefty fine and a tarnished reputation which you may never fully be able to repair.

The Initial Step to Mitigate Risk
A recent report by Genetec found that 67% of physical security professionals, including Genetec's end users, integrators, and partners, are planning to prioritize their cybersecurity strategy in 2021. With the UK witnessing a 31% increase in cybercrime since the start of the pandemic, many physical security professionals are recognizing that cyberattacks are real and that physical security systems are an ideal entry point for hackers.

IP security cameras and other security devices are by their very nature connected to the internet. It's what lets users access them remotely to check in on their business, and what lets manufacturers update device software without having to make a house call. But this feature can also be their Achilles' heel. When not secured properly, any camera or access control device in the so-called Internet of Things (IoT) can be accessed remotely by just about anyone, not just those with whom you want to share access.

One way to limit your organization's cyber vulnerabilities is to take a closer look at your supply chain and build a network of trusted vendors. Effective supply chain risk management (SCRM) is essential here for ensuring the continuity and profitability of your business. However, the same principle should also apply to the vendors that provide the various components of your physical security system, and even those that install or service your equipment.

You can begin by asking vendors and other third-party service providers about their cybersecurity and privacy policies and practices. A company that is serious about cybersecurity will conduct its own penetration testing and catch any vulnerabilities that could have been missed during product development. They will also be proactive when vulnerabilities are uncovered and quickly deploy the latest firmware and security updates to keep systems secure.

Moreover, when working with a systems integrator to develop or maintain a physical security solution, it is important to share your concerns about cybersecurity at the onset. A systems integrator must consider cybersecurity a top priority and should only recommend products from trusted manufacturers who are also committed to protecting your system on a regular basis.

Operate in a Framework of Best Practice
The cyberattacks against IoT devices are increasingly affecting enterprises yet could easily be prevented. For example, ensuring cameras are running on the latest version of the firmware and that security updates are regularly applied is a rudimentary aspect of good cyber hygiene. Yet, Genetec's own data reveals 68% of cameras trying to connect to its systems are running out of date firmware. And 54% of these involve known vulnerabilities, mean they could easily be compromised by a cybercriminal with malicious intent.

That is why everyone must play a role in protecting physical security systems from cyberattacks. Be sure to choose trusted vendors who use smart tactics such as penetration testing. And only work with systems integrators who are committed to providing continuous protection against cyberthreats. The success of your business may depend on it.

Nick Smith is Regional Manager at Genetec.

This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more.

IFSEC Global, part of the Informa Network, is a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies – like video surveillance, access control, ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Visit the Web's Most Authoritative Resource on Physical Security

To get the latest news and analysis on threats, vulnerabilities, and best practices for enterprise physical security, please visit IFSEC Global. IFSEC Global offers expert insight on critical issues and challenges in physical security, and hosts one of the world's most widely-attended conferences for physical security professionals.

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file