[BreachExchange] Preventing physical security devices becoming a cyber-security headache

[Audrey McNeil]

https://www.scmagazineuk.com/preventing-physical-security-
devices-becoming-a-cyber-security-headache/article/748491/

Physical security devices, such as those used in CCTV and access control
systems, are commonly used by businesses across the world. From
safeguarding staff and students within schools and colleges, to ensuring
the safety of the public at large visitor attractions, these devices are
responsible for securing our perimeters and ensuring only authorised
personnel are able to access certain areas of a facility.

As the capabilities of these technologies have progressed so quickly, we
have been able to achieve so much more than we ever have done before.
Connecting them to an IT network has meant they have evolved into devices
that can collect and share vast amounts of data which can be used for
security purposes, such as loitering detection and suicide prevention on
railways; and for business intelligence, such as queue monitoring and
managing staff more efficiently.

But has the cyber-security of these devices kept pace with this rapid
progress? As we all know by now, connecting technologies to the internet
can have severe consequences if not done correctly. Cyber-criminals have
discovered they can utilise flaws in such technologies to gain access to a
business's data and its ‘cyber' network. If companies aren't doing enough
to protect this data, they may now be held accountable under new data
protection laws, such as the General Data Protection Regulation (GDPR).

What has the GDPR got to do with you?

That's the question that has been asked in boardrooms across the UK over
the last 18 months with increasing intensity. The answer is a lot - if your
business is holding Personally Identifiable Information (PII), as the
majority do. Whether that be the information that CCTV and access control
systems generate and store, or if these devices act as an entry point to an
IT network, ensuring personal data is protected has become a C-suite
conversation for firms throughout Europe.

If a business hasn't begun preparations, or is unsure how the regulation
may impact its operations, now is the time to start reviewing its data
protection processes. Failure to comply with the new regulations could
result in large fines, up to €20 million, or four percent of a company's
annual turnover, whichever is greater. The reputational damage of
non-compliance could also be catastrophic.

What you need to know

One crucial element to the incoming GDPR is the issue of accountability.
While under the original Data Protection Act (DPA) the responsibility for a
breach sat primarily with the controller, under the new legislation this
now sits with the controllers and processors. Firms must therefore begin
looking beyond their four walls to ensure complete protection.

For example, imagine a scenario where a criminal gains access to an
organisation's network via a vulnerability introduced by surveillance
equipment; this weakness is exacerbated when the end user decides to enable
remote access to their video. Beyond the attacker, whose responsibility is
the breach? Would it be the manufacturer of the surveillance equipment, the
installer or the end-user's IT department? Ultimately, all parties share
responsibility and have something to lose, including reputational damage.

That said, the heavy fines set to be imposed by the impending GDPR would
fall at the feet of the end user. And that is why education on the matter
is so important, not only regarding the ramifications of a breach, but also
how to ensure an organisation can sufficiently protect itself in this
increasingly complex security landscape. The hack that led to 110 million
customers of discount retailer Target having its financial data stolen
occurred following a spear-phishing attack which granted attackers access
to an internet-connected heating/ventilation system. This spear-phishing
attack, which involved an email riddled with malicious code sent to a
member of staff, could have been prevented if workers had been given the
necessary training on how to identify suspicious emails.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180330/9dd83330/attachment.html>