With about 400,000 privately owned and 10,000 publicly owned security cameras in operation across New Zealand, there is justifiable concern about how footage is collected, stored, shared and destroyed, writes Genetec’s Country Manager ANZ George Moawad.
The business case for installing security cameras is unequivocally to improve public safety. Airports and stadiums can monitor people movement to ensure public safety and efficient flow of people movement throughout the facility is maintained.
In the past physical security, corporate data protection and personal privacy were treated as discrete silos. Now the analogue tools used for physical security are replaced with digital solutions and connected via protocols to organisation’s networks.
If a physical security system is compromised there is now a potential exposure to the whole network including unlawful access to archived corporate and personal data. A physical security platform that is not built on a solid cybersecurity foundation is vulnerable to cyber-attack putting organizations and citizens at risk.
Supply chain risks must be monitored
The world of cybersecurity is acutely aware of the risks of supply chain attacks. Cybersecurity professionals actively work to limit access to backdoors and other vulnerabilities that could be leveraged by threat actors. Physical security systems must also be built and deployed with cybersecurity in mind. That means thinking about the entire supply chain and how systems are developed, deployed, accessed, operated and managed.
Over recent years, there has been increased focus on where all physical security devices are made. This has been in response to vulnerabilities that were found in some devices coming from specific manufacturers that were not demonstrating a strong cybersecurity posture putting users at risk. While cost is an important factor in choosing cameras, it is critical to research and understand the the camera’s origin and cybersecurity history of the suppliers under consideration.
The software you use to manage your cameras, collect footage and conduct analysis is also critical in decision making. It must use strong encryption to protect data when it is in flight and at rest. Access to the system should be protected with effective access controls including strong passwords and multifactor authentication.
The developer should also have a reputation for quickly remedying vulnerabilities and strengthening the systems against emerging threats. A compromised physical security software or connected hardware device is a gateway into the rest of your network. Many threat actors will do the work to find a way to exploit one or many of the devices connected to your physical security system so ensure the whole solution is cybersecure is key.
There is only one security strategy
Physical security systems are no longer separate. Surveillance cameras, and other physical security devices, operate over IP (Internet Protocol) as part of an organisation’s main network.
That means a cybersecurity compromise on either side of the physical security fence can lead to a much broader attack. An email compromise could lead to the data being obtained by threat actors. Or a security breach of physical security device could lead to business data being stolen or encrypted in ransomware attack.
Protecting the confidentiality, integrity and availability of all data is critical for business continuity and protecting the organisation’s reputation. While physical security and cybersecurity processes may be maintained by separate teams, they must be managed as an integrated whole. The days of disparate physical security strategies are over. There must be a single organisation-wide security strategy that encompasses them both.
New Zealand has a massive network of public and private security cameras. There is one camera for every 12 people. At some point during a day almost every citizen is likely to photographed or videoed. This puts privacy front and centre on the everyone’s agenda.
Protecting the privacy of every New Zealander starts with ensuring equipment is sourced from reputable and ethical vendors and that it is secured using the best possible encryption and authentication. And it must all be deployed, managed and maintained by a well-resourced and risk-aware team. Physical and cybersecurity are no longer separate domains. They are interconnected and operate in a world where threat actors see them as one attack surface.
An all-encompassing security strategy, built on the comprehensiveness of cybersecurity posture both for physical security systems and the broader network, is essential.