Trust is good, control is better – this is especially true for surveillance technologies

Surveillance technology serves as a gateway for criminals. As a recent Bitsight investigation revealed, 40,000 cameras worldwide send their images unprotected to the internet.^[1] Burglars use these insights to plan their attacks, and an open microphone feed invites industrial espionage. In the worst case, perpetrators can control critical infrastructure – waterworks or energy suppliers – from outside. The NIS2 guidelines place greater responsibility on managing directors in the event of damage. Karsten Kirchhof, Technical & Commercial Manager at LivEye, explains how managers can secure their video surveillance.

Evening programme Live feed

The installation and configuration of security cameras is usually carried out by external service providers. As soon as an image appears on the screen, most users consider the setup complete. Installers often rely on manufacturer instructions that promise quick commissioning via QR code. However, this approach usually connects the camera to the unprotected company network, which turns the security feature into an easily accessible TV channel. ‘If curious onlookers discover the open channel, this already constitutes a data protection violation on the part of the transmitting company. Depending on the severity, this can cost business managers a penalty of 2 to 4 percent of annual turnover,’ explains security expert Karsten Kirchhof. If unscrupulous competitors find the weak spot, they can use image and sound recordings for spying. In most cases, those affected are not even aware of the microphone, as the function is disabled to protect employees. However, if a recording device is installed, it can also be accessed externally.

Espionage made easy

If sensitive information leaks out, this causes damage on several levels: competitors gain an advantage through the knowledge, the reputation of your own company is tarnished and the rights of your employees are violated. ‘In one case, the Higher Regional Court quantified the compensation for pain and suffering for violations of this kind at €5,000 per person,’ reports Kirchhof. In addition, upon closer inspection, alleged insider jobs in the area of theft turn out to be well-planned burglaries. Criminals use open security cameras to record delivery times and steal goods before warehouse workers can put them away. Another convenience factor for thieves is the easier access to alarm and locking systems due to the interconnection of security technology.

1234 is not enough

When managing directors become aware of a data leak, they should first disconnect the affected cameras to stop further images from being transmitted. This should be followed by a thorough check of the network security. To prevent this from happening in the first place, the expert advises a thorough check before installation. This starts with the origin of the devices, because German brand names do not necessarily mean that the products are German. These are subject to stricter requirements than comparable technologies from non-European countries. For example, the EU requires manufacturers to demand that a new password be assigned immediately upon commissioning. To close this loophole, installers avoid integrating the devices into the production network. All security technologies are connected to a separate network, access to which is password-protected. If there are several buildings on the company premises, each one gets its own system, as Wi-Fi bridges between the buildings make internal security obsolete. It is best for company management to rely on internal IT professionals for this. After all, the more outsiders know about the protective mechanisms, the more useless they become.

Where does the data float

Even secure networks have their pitfalls: if users rely on products that do not comply with European standards, the protection often loses its effectiveness as a result of updates. After an update, the devices report to their parent company, which reopens access. ‘Secure use is possible, but requires considerable additional effort, as the connections must be checked for gaps after every update,’ warns Kirchhof. The origin of the devices also influences the use of modern cloud solutions. Providers from China or the USA usually access data clouds from their own territory. If you want to be on the safe side, you should use manufacturers that store sensitive information on European servers.

More secure in the future

New regulations such as the NIS2 directives and the IT Security Act 2.0 are seen as rays of hope in the industry. On the one hand, since 2024, the EU has held top management liable for violations. In doing so, the Union is placing responsibility on management and increasing the pressure to comply with minimum standards for IT security. The revised IT law targets components from autocratic third countries and requires thorough testing before they can be used in Germany. These developments give hope that security technologies will be truly secure from the outset in future and that companies will take care to close any gaps when installing them.

1 https://www.securityweek.com/40000-unprotected-security-cameras-found-on-internet/