Are CCTV cameras security providers or security risks?

By James Wickes, chief executive and cofounder, Cloudview
Published: 18 August 2017

Surveillance cameras are a familiar sight on business premises and in public spaces, installed to protect people, property and assets. However, the very systems designed to improve security may not themselves be secure, creating a risk of both the loss of corporate data and significant fines – even imprisonment for the directors responsible.

There is also the risk from built-in backdoors, which includes those intended to make maintenance access easier, as well as security flaws in firmware. In autumn 2016, M16 expressed grave concerns about the potential security risks posed by the complex supply chain behind China’s huge CCTV manufacturing industry – Britain’s largest supplier of legacy CCTV equipment. This was followed by, in March 2017, the discovery that a camera had malicious software actually built into it which allowed remote unauthorised administrative access via the web.

The vulnerability of CCTV has been demonstrated by DDoS attacks too, with systems used as a source of botnet power to take down the services supporting critical systems and websites. What’s more concerning is that some CCTV systems lack even the most basic security protection, making them easy targets for everyone from smart teenagers to cyber criminals and terrorists. Independent research published last year found major vulnerabilities in both traditional DVR-based and cloud-based systems, making it easy for intruders to hijack connections to the device’s IP address.

Hidden risks
One reason why these problems are overlooked is that CCTV systems often fall outside the remit of IT, installed by facilities managers or other departments as a ‘fit and forget’ system. However, any business that records, stores and processes visual data should review their current setup and consider investing in a move away from any legacy, possibly piecemeal, technology to more sophisticated and secure modern systems. Failure to do so will leave them open to many risks. First, insecure CCTV systems provide hackers with a way into corporate networks, enabling them to steal data or disrupt business. Second, potential for data theft – of either corporate material accessed via the CCTV system, or of visual surveillance data itself, which is subject to data protection law – means that organisations which do not secure their CCTV systems are in breach of data protection legislation.

The penalties for data loss will increase substantially when the new General Data Protection Regulation (GDPR) comes into force in May 2018. Serious breaches could lead to fines of up to €20 million or 4 per cent of turnover, whichever is higher. What many don’t realise is that the GDPR is about all data regardless of the form it takes. As outlined in our new white paper, every organisation that deploys a CCTV camera system will be required to comply with the regulation.

Adding fuel to the fire, the crackdown is in addition to a new warning from the government, which has said that businesses failing to protect themselves from a cyber-attack may be fined up to £17m or 4% of global turnover. This was in effect accepting the GDPR into British law, which means businesses can think again if they believe that GDPR won’t affect them once Britain leaves the EU. It is worth noting these latest fines are calculated on the turnover of the whole organisation, not the operating division or subsidiary in which the breach occurred. The proposals have been developed in line with the GDPR, and includes data generated by CCTV systems as these tend to deliberately or unwittingly capture personal data. The Culture, Media and Sport Committee has gone one step further by saying that it would be useful to have a full range of sanctions, including custodial sentences, for GDPR breaches.

A new era for CCTV
To address these issues and the changing regulations, organisations need to do two things. First, they need to think about why they collect certain data, what they are doing with it and how it’s being protected – rather than deferring to a set of static tick box rules. Any organisation that falls into this category must review its processes as well as its security.

Second, organisations need to think about how they secure their systems. The only way that businesses using legacy CCTV equipment can comply with the new data protection regulations will be to physically lock down their recording equipment. This is inherently impractical and severely limits how they can use the visual data generated by them. The solution is new technology, using the cloud and IoT to protect their visual data far more effectively.

Visual data from multiple sources can be encrypted and centralised in cloud systems such as Cloudview, where it can be accessed at any time by authorised personnel, from any location and on any device, as well as controlled, audited and documented. Moreover, image capture and storage retention are vastly more flexible while systems can be instructed to send instant alerts, triggered by particular conditions, to authorised users.

The amount of data being processed by the world’s CCTV systems every day is 15 times greater than the data processed daily by Google and yet 98% of it is never used. Organisations using them will continue to be targets for data theft and cyber-attacks as well as liable to new data protection rules.

But, this risk is no longer necessary. When correctly implemented, cloud-based visual data systems provide an extremely effective and secure method for protecting corporate assets and people as well as providing access to an untapped source of the biggest and most impactful data there is – visual data.