In 2018, users of the British Airways (BA) website were diverted to a fraudulent site. This site allowed the harvesting of around 500,000 people’s details in what BA described as a “sophisticated, malicious criminal attack” on its website. As a result, the Information Commissioner’s Office (ICO) handed out its biggest penalty yet - £183m.
When the US credit score agency, Equifax, experienced a massive data breach in 2017, more than 147million US citizen’s details were exposed. In the same breach up to 15million UK citizens were left at risk. The agency had been warned that its system suffered from a critical vulnerability, but had failed to follow up procedures to rectify the situation. The consequence of which was a £561m fine from the US regulator, and a £500,000 fine from the ICO in the UK.
These are just two examples from an increasing number of highly publicised data breaches and hacks which have weakened trust in data security. Alongside this is a general fear for the safety of our own personal data. In short, cybersecurity has become part and parcel of everyday life.
Organizations now face a perfect storm. The list of networked devices is steadily increasing, thanks to the rise of the Internet of Things (IoT) and there are now even greater opportunities for would-be hackers to compromise systems. For many, it’s a matter of when - not if - a hack or breach will occur. When it does, it could take a long time to gain back public trust. The good news is that there are many tools at hand which can minimize the risk and protect your data.
The amount of the fine will be based on the nature, gravity, duration and character of the infringement. As well as the type of personal data collected. So, highly sensitive data such as biometric information would be classed differently to less personal data, like postcodes or usernames.
Once a company falls foul of GDPR because of its VMS and video devices, the consequences will be far more severe. More organizations will likely rush to secure their VMS. Of course, when it comes to GDPR, nobody wants to be the first infringement.
Installers must ensure that the VMS they’re using is GDPR-ready – and is certified as such.
In practice, this might look like a VMS analyzing pedestrian activity for potentially dangerous behaviour. Unwell people can be automatically flagged by the system when standing too close to the edge of a rail platform, for example. Using VMS in this way is clearly in the public interest - there is a legitimate reason for installing such a system and storing the data.
Ensuring a GDPR-compliant video operation includes three steps. First, make sure your VMS is GDPR-ready and is certified to contain cybersecurity and privacy protection features that enable GDPR-compliant use.
Secondly, systems integrators must ensure privacy by design by applying the correct overall system design, system configuration and physical installation of cameras and other devices.
Lastly, end users must define and follow procedures and processes for how video data is stored, handled and shared.
Developing and implementing security measures and best practices is known as "hardening", a continuous process of identifying and understanding security risks, and taking appropriate steps to counter them. The process is dynamic because threats, and the systems they target, are continuously evolving.
Physical security is also a vital part of hardening; humans and their errors often compromise this. For example, use physical barriers to servers and client computers, and make sure that things like camera enclosures, locks, tamper alarms, and access controls are secure.
Training needs to reach people across the organization. It must be tailored, so people understand some of the unique security risks that come with VMS and the sensitive data that can be collected. They should understand how to comply with GDPR.
Then, they should know their role in securing the system. From avoiding written-down passwords, to the correct installation of cybersecurity systems. Understanding the threats out there is essential. You cannot protect against things you don’t know about. This means cybersecurity training is an ongoing effort, not a one time event.
There’s a risk that training could become a tick-box exercise that people attend because they have to. To prevent this, use interactive sessions like lunch and learns, workshops and group work to engage with everyone.
The software should also be secure-by-design. Where security is at the center of a developer’s mindset when they approach a task. If your VMS provider can illustrate that secure implementation is a priority - as is the case with Milestone XProtect, for example - then your VMS cybersecurity is built on robust foundations.
One solution for this is to use a VMS supporting dual networks, where IoT devices are connected to a completely locked-down network and information generated from these devices is then proxied via the recording server. This gives a level of immediate protection to IoT devices.
It will pay to remain up-to-date with all cybersecurity developments, particularly relating to the IoT and VMS. Part of this should be done by your manufacturer, who will regularly update the VMS to mitigate threats. By keeping a step ahead in your VMS cybersecurity, you’ll make your systems less of a target. It’s hard to be caught out when you’re constantly in motion.
- Awareness – ensure wider awareness of the need for a secure VMS.
- Hardening – tighten up your VMS as part of an ongoing, dynamic process to ensure robustness.
- Training – educate users and colleagues on best practice in system setup, installation and use.
- Privacy – maintain a ‘culture of privacy’ by ensuring that your system is GDPR-ready.
- Regular updates – keep your system up to date with the latest drivers, patches and fixes to stay ahead of would-be hackers.