Let’s face it. Cybercriminals are smart. They’re aggressive, persistent, and opportunistic. They can sniff out an open port—a device running outdated software—and use it to invade the network. With cyberattacks on the rise, companies need to continually assess threats and adjust their cybersecurity posture accordingly.
So, who decides what cybersecurity policies and procedures to implement and how? To answer that question, you need to consider that in many organizations, IT and physical security devices reside on the same network. Being so closely intertwined, it’s critical their cybersecurity practices align.
Ryan Zatolokin, Business Development Manager, Senior Technologist, Axis Communications, Inc.
“Whether you’re talking about protecting IT infrastructure, surveillance systems and access control, or applications and data, the concerns are much the same,” says Ryan Zatolokin, senior technologist for the business development team, Axis Communications, Inc. “If it has an IP address, it needs to be defended.”
Zatolokin recommends applying a consistent strategy across all systems and devices attached to the network including any bring-your-own-devices not owned by the company. Without this cohesive alignment, a single weak link could potentially compromise a company’s entire operation.
“There shouldn’t be two different cybersecurity standards—one for physical security and one for data security or IT infrastructure,” insists Zatolokin. “One consistent standard should apply across the board. With transparency and good communication you can ensure that nothing gets overlooked.”
Start with basic cybersecurity policies
As we all know, cybercriminals tend to go for low hanging fruit. So, at a bare minimum, companies need to require users to change factory default passwords for their devices before logging onto the network. As an added precaution, users should be required to change passwords on a regularly scheduled basis. Companies also need to set a standard for password complexity to make them more difficult to hack.
“Something else that’s often overlooked is consistent maintenance,” says Zatolokin. “Companies need to require that patches and updates be installed on a timely basis, especially if the manufacturer issued those changed in response to discovered vulnerabilities.”
It’s been Zatolokin’s experience that unless there’s a company policy mandating that devices are to be kept up to date, people generally don’t install updates until they run into a problem.
Lifecycle management is another important policy that needs to be applied across the board. “Just because a device still works doesn’t mean you can continue to update it with the latest cybersecurity features,” warns Zatolokin. “If you’re still running a computer or surveillance camera that is 10 to 15 years old it’s unlikely that it’s capable of supporting the latest software, firmware or encryption.”
Companies need to institute a formal plan for determining obsolescence and replacing outdate devices on the network when they can no longer meet the organization’s cybersecurity needs. That timetable will be based on what assets are being protected and what cyberthreats are being faced.
Take cybersecurity policies and procedures to the next level
“When you look at the cyberthreats to an organization, you have to look at the organization as a whole,” states Zatolokin. “I don’t believe it’s possible to slice it up and say this is a physical security concern and this is an IT concern, especially since physical security devices protect IT infrastructure like IT closets and data centers.”
This means that organizations need to weigh cybersecurity considerations in the context of protecting the entire organization, whether running risk analyses, vetting technology vendors, hardening the network perimeter, or training employees in security best practices.
- Risk analysis: Whether conducted by the chief security officer or an outside consultant, a comprehensive risk analysis should account for all the threats the organization is facing—both cyber and physical. Once the risk assessment’s been qualified and quantified, a company can devise a cohesive set of policies and procedures to protect the entire operation.
- Network perimeter protection: Organizations need to consider who has access to the network and how to protect against unauthorized access to critical systems. It could be anyone from employees and partners to customers logging in through a web portal to someone tapping into WiFi in the lobby.
“It’s considering all the different ways people could possibly access your infrastructure and how to build different layers of protection,” shares Zatolokin. “You might decide to provide a VPN to certain users to give them a higher level of access. You might embed a unique digital certificate on a camera so that only that device can connect to the data switch that supports it. Or you might encrypt data at rest and in transit.”
- Vetting technology vendors: What an organization allows on the network is just as important as who. Especially for high-risk targets like government buildings and critical infrastructure, it’s vital to assess all the different vendors that put products on the company’s network. That might include conducting vulnerability scans and penetration scans on the products to ensure they pass a specific threshold before they can be placed on the network.
“Quality engineering has to be matched by solid maintenance commitment like regular updates in firmware and software, timely bug fixes and so forth, to ensure their devices don’t become vulnerable portals for hackers to breach the network,” explains Zatolokin.
- Training: Sometimes the weakest link isn’t a product but rather a person. That’s why it’s imperative organizations foster a security-conscious culture in every layer of the organization. Employees need to be taught vigilance and frequently reminded how easily their actions could lead to a breach.
“Over time, people tend to get lax about things like clicking on sketchy emails or websites on their work computers, propping the back door open, letting someone piggyback into the building on their keycard swipe, or even walking away from their computer to grab a coffee without closing out the screen,” says Zatolokin. “That’s why companies should invest in security training for their employees and provide ongoing incentives to continually reinforce those best practices.”
How a trio of Axis tools help cybersecure video surveillance systems
IT departments have been using a variety of cybersecurity tools for decades: everything from vulnerability scanners on individual devices to network monitoring tools that allow them to configure devices and measure their load on the network. Most manufacturers of video surveillance devices offer similar tools.
“Axis Communications is unique in that it offers integrators and end users a trio of tools to consistently manage the entire lifecycle of an organization’s security camera system from solution design and installation to operation, maintenance, retirement, and replacement of individual devices,” says Zatolokin.
This free web application on axis.com streamlines the process of going from design draft to project completion. The intuitive maps feature allows integrators to add floorplans or maps of the target sites, choose and virtually place cameras and devices, and view the coverage they’ll provide. It also helps integrators calculate system storage and bandwidth requirements.
Once the site design has been finalized, security installers and system administrators can use this tool to efficiently manage installation, security, and maintenance tasks on most Axis cameras, access control, and audio devices.
“On the installation side, AXIS Device Manager lets you do things like assigning IP addresses, managing usernames and passwords, keeping track assets, and managing security certificates,” says Zatolokin.
This third software application extends the capabilities of AXIS Device Manager. With its intuitive dashboard it provides system administrators with an instant status overview and insights into all their local and remote security devices. This includes real-time, detailed information about such things as warranty and product discontinuation so the organization can make timely decisions about device lifecycles.
“Knowing the real-time status of your entire system helps to simplify troubleshooting,” states Zatolokin. “If you can see when a device goes offline or experiences an unstable network connection you can get someone out to fix it. AXIS Device Manager Extend helps you stay proactive and ensure your entire system keeps working as it should.”
Maintain a consistent defense against cyberattacks
It’s virtually impossible to build systems and devices that are 100 percent cybersecure. The best you can hope for is to make them so difficult to breach that hackers look elsewhere for an easier target. To that end, organizations should:
- Conduct a risk assessment so they understand the potential threats against them.
- Implement consistent cybersecurity policies and procedures across their organization that respond to those risks.
- Institute a regular maintenance program to ensure all devices are kept updated with the latest software and firmware.
- Regularly reassess risks and adjusts cybersecurity policies and procedure to counter new and emerging threats.
- Seek out tools to help design, implement, operate, and maintain cybersecurity measures quickly and efficiently.
- Audit system status in real-time so you can instantly know if you’ve been breached. Then mitigate the threat as quickly as possible to minimize any damage.
For more advise about cyber hardening your network systems, see the Axis’s Cybersecurity Hardening Guide.