COVID-19 Update

Do You Own Your Customer’s IP Security Devices?

As more IP security devices are connected to networks, more confusion may arise as to how security, IT or facilities groups address IP access control.

Brad McMullen Leave a Comment
Do You Own Your Customer’s IP Security Devices?

As our world becomes more connected, the ability to utilize connected IP security devices to not only run a business but to gain valuable insights is more possible than ever before. IP cameras can provide immediate, visual knowledge of what is happening in a business, while IP access control points can add and remove users almost instantly.

However, with all of these devices connected to a business’s network, a significant question arises that companies must address: who owns IP security devices connected to a company’s network?

This question is so relevant today because any IP access control device that is connected to a company’s network provides an entry point to that network by both authorized and unauthorized users.

If those connected security devices are not secure, it creates a vulnerable spot for hackers to gain access.

While many organizations spend millions of dollars ensuring their IT infrastructure is secure against future potential threats, it’s the immediate threat that exists from connected devices that must be considered, as well.

Managing Updates to IP Security Devices

It’s common for device manufacturers to regularly update their products to make them more secure, less vulnerable, remove bugs or add functionality.

One advantage of connected devices is the ability to remotely update with software or firmware patches, allowing the device to remain less vulnerable.

A common practice with IP cameras, for example, is for manufacturers to release new versions of firmware that can update the camera to work more effectively, eliminate bugs, or reduce vulnerabilities that hackers exploit.

It’s never a good situation when there is a breach of a device and it turns out that everyone thought “the other department” was handling it.

To effectively manage these updates, there needs to be an understanding of what is connected to the network, whether there is an updated version of the firmware and how to update the device.

Traditionally, a company’s security team handles security — with the IT team overseeing all things IT, and the facilities team handling the physical environment.

But now, with IP addresses and Internet connectivity, cameras used for security purposes are often connected to an organization’s network.

So is the security team responsible for the camera firmware updates and password verifications, or does this fall under IT’s responsibility, similar to mobile devices and laptops?

The best way for an organization to answer the question of who owns IP access control products connected to a network is to start with open communication and dialog.

Here are some best practices that companies can employ to minimize the confusion:

1) Clearly define who is responsible for IP security devices as well as the expectations regarding the responsibility.

For IP cameras, this means defining the physical upkeep and functionality of the camera, as well as the cybersecurity side of protecting the device via firmware updates and password checks.

2) Establish teamwork between the groups within an organization that have responsibilities for the functionality, security and operations of equipment.

In most organizations, as mentioned previously, this would include the security team, the IT department and potentially facilities maintenance.

3) Agree on frequency of verifying checks and audits to be completed and add connected security equipment as part of the normal IT audit of devices.

4) Utilize a security provider or integrator.

Many organizations have maintenance plans for physical security equipment. Check to see what the plan covers. Does it only cover the physical upkeep of the equipment?

5) Determine if there is an option to have a maintenance plan that includes regular firmware updates and password checks.

Connected devices give companies the opportunity to gather valuable data — now more than ever before.

The devices can provide real-time insight into customer behavior, building efficiency and up-to-the minute performance status of critical equipment.These are just a few of the use cases, and it is evident that the benefit of connected devices is significant.

But companies also need to realize that the risks of these connected devices are real and need to be planned for accordingly and comprehensively.It’s never a good situation when there is a breach of a device and it turns out that everyone thought “the other department” was handling it.

As long as there is clear ownership of IP access control within an organization, an action plan on how to keep the devices secure and communication between the stakeholders, the benefits of connected devices can certainly outweigh and effectively mitigate the risks.