Steven Kenny

Steven Kenny, Axis Communications, looks at the benefits of physical access control systems within smart environments, and how knowledge gaps and dated methods can inhibit adoption. Physical security is becoming more dynamic and more interconnected, as it evolves. Today’s modern access control solutions are about so much more than simply opening doors, with digitalisation bringing multiple business benefits, which would simply not be possible using traditional models. Digital transformation While the digital transformation of processes and systems was already well underway, across many industries and sectors, it is the transformation of physical security from a standalone, isolated circuit, to a network-enabled, intelligent security solution that brings many benefits to the smart environment. Yet, with more organisations now looking to bring their physical security provision up to date, there are many considerations that must be addressed to maximise the potential of access control and video surveillance. Not least of which is that connecting physical security devices to a network presents risk, so it is increasingly important for IT teams to play a role in helping to facilitate the secure integration of physical and network technologies, as these two worlds increasingly converge. Improved access control in smart environments These urban constructs are capable of reducing waste, driving efficiencies and optimising resources The smart city offers significant benefits, reflected in the US$ 189 billion that is anticipated to be spent on smart city initiatives globally by 2023. These urban constructs are capable of reducing waste, driving efficiencies, optimising resources and increasing citizen engagement. Technology, which is increasingly being incorporated to protect access points within the smart environment, can take many forms. These range from simple card readers to two factor authentication systems, using video surveillance as a secondary means of identification, right through to complex networks of thermal cameras, audio speakers and sensors. Frictionless access control During the COVID-19 pandemic, frictionless access control has provided an effective ‘hands free’ means of accessing premises, using methods such as QR code readers and facial recognition as credentials to prove identity. Frictionless access control brings health and safety into the equation, as well as the security of entrances and exits, minimising the risk of infection, by removing the need to touch shared surfaces. Such systems can be customised and scaled to meet precise requirements. Yet, an increasing integration with open technologies and platforms requires collaboration between the worlds of physical security and IT, in order to be successful. Barriers to adoption Traditional suppliers and installers of physical security systems have built up a strong business model around their expertise, service and knowledge. Network connectivity and the IoT (Internet of Things) present a constantly shifting landscape, requiring the traditional physical security vendor to learn the language of IT, of open platforms, IP connectivity and software integration, in order to adapt to market changes and remain relevant. Many are now beginning to realise that connected network-enabled solutions are here to stay Those who cannot adapt, and are simply not ready for this changing market, risk being left behind, as the physical security landscape continues to shift and demand continues to increase. With end users and buyers looking for smarter, more integrated and business-focused solutions from their suppliers, it is clear that only those who are prepared will succeed in this space. Time will not stand still, and many are now beginning to realise that connected network-enabled solutions are here to stay, particularly within smart constructs which rely on such technology by their very nature. The importance of cyber hygiene Connecting any device to a network has a degree of risk, and it is, therefore, imperative that any provider not only understands modern connected technologies, but also the steps necessary to protect corporate networks. Cameras, access control systems and IP audio devices, which have been left unprotected, can potentially become backdoors into a network and used as access points by hackers. These vulnerabilities can be further compromised by the proliferation of connected devices within the Internet of Things (IoT). While the connection of devices to a network brings many advantages, there is greater potential for these devices to be used against the very business or industry they have been employed to protect when vulnerabilities are exploited. Cyber security considerations Cyber security considerations should, therefore, be a key factor in the development and deployment of new security systems. Access control technologies should be manufactured according to recognised cyber security principles, incident reporting and best practices. It is important to acknowledge that the cyber integrity of a system is only as strong as its weakest link and that any potential source of cyber exposure will ultimately impact negatively on a device’s ability to provide the necessary high levels of physical security. The future of access control There is a natural dispensation towards purchasing low-cost solutions There is a natural dispensation towards purchasing low-cost solutions that are perceived as offering the same value as their more expensive equivalents. While some have taken the decision to implement such solutions, in an attempt to unlock the required benefits, while saving their bottom line, the limited lifespan of these technologies puts a heavier cost and reputational burden onto organisations by their association. The future of access control, and of physical security as a whole, will, therefore, be dependent on the willingness of suppliers to implement new designs and new ways of thinking, based around high-quality products, and to influence the installers and others in their supply chains to embrace this new world. Cyber security key to keeping businesses safe In addition, cyber security considerations are absolutely vital for keeping businesses safe. The integration of cyber secure technologies from trusted providers will provide peace of mind around the safety or corporate networks, and integrity of the deployed technologies. As we move forward, access control systems will become data collection points and door controllers will become intelligent I/O devices. QR codes for visitor management and biometric face recognition for frictionless access control will increasingly be managed at the edge, as analytics in a camera or sensor. The future of access control presents an exciting and challenging time for those ready to accept it, to secure it and to help shape it, offering a true opportunity to innovate for a smarter, safer world.

Cloud technologies and the IoT have opened up seemingly endless possibilities for the modern retail organisation. Customers have never had as much control over purchasing decisions as they do today, with the ability to make transactions at the touch of a button for goods and services from the comfort of their own homes or on the move. However, the customer data lying at the heart of this frictionless shopping experience presents an ever more attractive commodity to cyber criminals. Attacks are growing in number and this presents a major problem for both retailers and customers. Cloud technologies and the IoT have opened up seemingly endless possibilities for the modern retail organisation In addition to the immediate disruption and downtime a breach can cause, the damage to the reputation of a business or brand can be lifelong. With GDPR related fines from the ICO now as much as €20m or 4% of an organisation’s global annual turnover, whichever is higher, the resulting combination of the cost of the breach itself, reputational erosion and any crippling fines can be devastating. It is therefore essential that retailers are aware of the steps and procedures they should be following to ensure full data compliance and to guarantee the integrity of their IT infrastructure. Ensuring full GDPR compliance It’s vital to ensure that everyone understands the security implications and knows how to respond effectively in the event of a breach. Internally, all teams and departments should have the confidence to raise the alert if a breach is suspected. Externally, companies should look to encourage conversations across the entire supply chain to ensure requirements are effectively met and security risks are adequately addressed. It is a requirement of the GDPR that the necessary steps be taken to guard against attack and protect existing software and systems It is a requirement of the GDPR that the necessary steps be taken to guard against attack and protect existing software and systems. Effective cybersecurity lifecycle management of IoT devices, such as network video surveillance cameras, is an example of a measure which should be put in place to help prevent such devices from being compromised, mitigating risk and ultimately maintaining customer trust. Establishing a truly secure retail solution can only be accomplished if security has been analysed at every stage. Evolving physical systems For protection of the physical retail environment, the move away from legacy security solutions such as traditional CCTV, which typically sat outside of a company’s IT operation, to the modern cloud-enabled security technologies we see today, allows retailers to unlock a wealth of business benefits previously impossible with analogue technologies. Today’s systems provide far greater accuracy of detection, vastly improved image quality, even in low light, and an array of business intelligence options to aid operations, such as people counting, queue monitoring and stock control. Protecting the physical security of the retail environment The ability to create live security alerts as well as forensic evidence for later analysis allows security teams to be proactive rather than reactive. In addition, the growing use of edge capabilities to process data within the cameras themselves negates the additional time and potential lag associated with continually passing surveillance information back and forward to servers, streamlining and therefore vastly improving operations. System vulnerabilities equals vulnerable data For network cameras being introduced onto an IT network, it’s essential to ensure that they do not become compromised and used as a backdoor to gain entrance to a business’s innermost workings and most valuable commodity; its data. The importance of guarding against system vulnerabilities cannot be ignored and it is therefore vital to ensure that all installed technologies are Secure by Default; built from the ground up with cybersecurity considerations at the forefront, to strengthen system security. In addition, software updates and firmware upgrades will keep the devices protected in line with the evolving threat landscape. The importance of guarding against system vulnerabilities cannot be ignored Forging and maintaining relationships with stakeholders is key to establishing a healthy supply chain built on mutual trust and respect. Only by following such an approach can the integrity of systems be fully guaranteed, with trusted vendors and installers working together to ensure that ethical practices are followed, and cybersecurity principles are adhered to. Due diligence should be carried out to make sure that all stakeholders involved in the manufacture, supply and installation of security software and systems understand the importance of keeping security best practice at the forefront of everything they do. Addressing the ongoing challenge Retailers must be able to rely on technologies that support their operational requirements and address associated risks, while at the same time, supporting IT security policies. By following procedures around the cybersecurity of IoT devices, and realising the importance of implementing high quality products and services through relationships with trusted vendors and partners, retailers will benefit from connected physical security systems that deliver on the promise of better protection of the business and customer, to effectively mitigate the mounting cyber security threat.

Cyber security concerns regularly top the list of things that keep business leaders up at night. The threat landscape is constantly shifting and evolving, as determined malicious actors launch new attacks and exploit vulnerabilities. Defending against threats and protecting company data can feel like a never-ending game where it’s impossible to stay one step ahead. To counteract this, Axis Communications (Axis) leads a collaborative effort with system integrators, security experts and end users. Here we explore the processes in place to ensure the highest-levels of surveillance system cyber security. Cyber security threat analysis A strategic approach to cyber security starts with an understanding of what common industry-specific threats an organisation is likely to face, existing vulnerabilities in their defence and industry regulation. Axis recognises this and proactively works with partners and customers to ensure they are equipped with the right knowledge and protocols to help defend against attacks. Unfortunately, security threats don’t fit into specific and well-defined boxes. They vary in terms of sophistication and impact. Highly complex attacks with the biggest impact to businesses and their customers tend to steal the most column inches and awareness, but these aren’t the most common. User error, a key factor in cyber-attacks User error is a top factor when it comes to successful cyber-attacks and shouldn’t be overlooked Rather, the threats that organisations need to worry most about arise far more frequently from lapses in protocol and what is often referred to as ‘deliberate or accidental misuse of the system’. User error is a top factor when it comes to successful cyber-attacks and shouldn’t be overlooked. This is something that Fred Juhlin, Global Senior Consultant at Axis Communications believes is one of the greatest misconceptions when it comes to threats. Fred Juhlin comments, “Many organisations mistakenly focus on protecting their businesses from the high profile threats, instead of getting the basics right. User error is a top factor when it comes to successful cyber-attacks and shouldn’t be overlooked when putting measures in place to improve cyber security.” Addressing cyber security vulnerabilities Vulnerabilities are weaknesses or opportunities for different threats to impact the system negatively and are a part of every system: no solution exists which is completely free from vulnerabilities. Rather than focus solely on the vulnerability itself, it’s important to quantify the potential impact on the organisation if it is exploited. This will help qualify the associated risk and whether addressing the vulnerability should be prioritised. Axis Communications strives to apply cyber security best practices in the design, development, and testing of devices, so as to minimise the risk of flaws that could be exploited in cyber-attacks. However, securing a network, its devices, and the services it supports relies on active participation by the entire vendor supply chain, as well as the end-user organisation. Axis Hardening Guide The Axis Hardening Guide describes each security control that can be applied with the device and recommends when, where and why it should be used when securing the network, devices, and services. From a vendor perspective, developing software products with security built in throughout the development lifecycle requires experience and maturity in secure software design and coding. In addition, these products must comply with prevailing legislation (for example, GDPR, CCPA for privacy and NDAA, DoD CCMC for secure supply chains and the UK Secure by Default legislation), and many more. Cyber security legislation and standards Wayne Dorris, CISSP, Business Development Manager – Cyber Security at Axis commented, “We dedicate a significant portion of our time to examining laws, legislation and standards for cyber security requirements to see where these may impact Axis.” He adds, “These regulations may differ according to geographical location, which presents a challenge to customers who need to deploy products across multiple markets. For example, it’s counterproductive to install one version of firmware for the Americas, when they need another version for EMEA.” Security Development Model Axis Communications approaches this challenge through its Security Development Model Axis Communications approaches this challenge through its Security Development Model, which is based on several cyber security industry best practices. The model defines the processes and tools used to build software with security built-in throughout the development lifecycle, spanning initial requirements, design, implementation, verification and deployment. Even with the best processes in place to prevent critical vulnerabilities being designed into a product, the threat landscape is in a continual state of change. Communicating information about these vulnerabilities to customers and partners as soon as they are discovered is the key. This will allow them to undertake risk assessments and take an action, such as patching, to rectify. Employing independent scanning tools Sometimes customers choose to take assessment into their own hands, employing independent scanning tools which report current vulnerabilities in the solution. These can be invaluable to keeping a system secure, but must be given right context and associated risk assessment. Without this, there is the chance that the wrong conclusions are drawn, leading to expensive and unnecessary actions. Without the right context and risk assessment, it’s easy to go down a rabbit hole. Steven Kenny, Industry Liaison Manager at Axis commented, “It’s great when customers take such a proactive stance to understanding the vulnerabilities that exist within their systems, but these reports can include many false positives. Without the right context and risk assessment, it’s easy to go down a rabbit hole, dedicating resources towards fixing a problem that has very little impact on the business.” Axis works closely with customers and partners regarding interpreting and prioritising vulnerabilities, and developing a strategic and informed plan of action. Cyber security best practice education and training Education plays an important role in informing the development of security policies As part of this guidance on the latest vulnerabilities, education plays an important role in informing the development of security policies. One of the greatest cyber security weaknesses in an organisation can be its staff. It is critical that they are made aware of how they can be targeted and the potential impact of failing to comply with security practices. Axis helps to deliver cyber awareness training and establish best practice guides for end users. Security personnel can also be a weak point in an organisation’s cyber security, given their responsibility for managing security controls. This includes maintaining an up-to-date device inventory, secure deployment, patching and device account management. Keeping on top of this can be difficult, and Axis Device Manager (ADM) can support security personnel in this endeavour. However, customer needs are changing and demand for capabilities such as multi-site management and improved monitoring is increasing. To meet this demand, Axis has launched ADM Extend which enables a more flexible deployment which allows personnel to support multiple sites. Although ADM Extend is currently focusing on the common operations, it will include more policies, security automation, and integration with other systems in the near future.  Moving towards a ‘zero trust’ approach Threat actors often work in collaboration, sharing information on the latest vulnerabilities, tactics and associated rewards. Faced with such a determined and often well-funded foe, organisations should not attempt to go into battle without the right armor and support. New threats continuously emerge a multi-layered approach, which is underpinned with cyber security education being essential to an organisation’s defence. As the industry moves to a ‘zero trust’ approach to security where every entity is identified and defined by its risk profile, it is important to choose products which are designed with security in mind. Axis leverages over 30 years of experience to create robust products and employs a collaborative approach to ensure that partners and customers are armed with the key information and tools needed to react to changing threats.

Axis Communications, the provider of network video technology, publishes its latest whitepaper, Cyber security: the biggest threat to retail which highlights the increasing threat posed by cyber-attacks to today’s retail industry. The paper documents the measures that should be understood by data controllers, loss prevention & security personnel through to heads of operations to ensure the highest levels of security and provide the appropriate education and training for all key stakeholders to effectively mitigate the mounting cyber security threat. Modern retail organisation It has been reported that in the last 12 months there have been 19 significant data breaches The growth in and use of IoT devices and cloud technologies have opened up boundless possibilities for the modern retail organisation across physical and digital platforms. However, customer data is at the heart of a frictionless shopping experience and presents an attractive commodity to cyber criminals, with attacks growing in number on those retailers whose systems are inadequately secured. It has been reported that in the last 12 months there have been 19 significant data breaches, which present a major risk for both retailers and customers. In addition to the immediate disruption and downtime a breach can cause, the damage to the reputation of a business or brand can be lifelong. Furthermore, GDPR related fines from the ICO can now be as much as €20m or 4% of global annual turnover, whichever is higher, and demands that necessary steps be taken to guard against attack and protect existing infrastructure. Personally identifiable information Axis’ whitepaper creates awareness of the challenges being faced and looks at how effective cybersecurity lifecycle management of IoT devices will help to better manage security and ultimately maintain customer trust. Collaboration with system vendors, integrators and installers is also hugely important" “Any organisation that generates or manages personally identifiable information (PII), effectively any data that could potentially identify a specific individual, must comply with GDPR. Establishing a truly secure retail solution can only be accomplished if security has been analysed at every stage. The key is to ensure that everyone involved understands the security implications of a breach and how to prevent one.” “Collaboration with system vendors, integrators and installers is also hugely important, and conversations across the supply chain will ensure requirements are met and security risks are adequately addressed,” Steven Kenny, Industry Liaison Architecture and Engineering, Axis Communications. Surveillance camera technology Alongside greater awareness of the need to comply with the GDPR, the Axis whitepaper stresses the importance of looking to guard against system vulnerabilities by working with trusted vendors who can install only those security technologies that are deemed to be Secure by Default. These technologies have been built from the ground up with cybersecurity considerations at the forefront. Technologies that are cyber secure offer peace of mind when connected to a network Technologies that are cyber secure offer peace of mind when connected to a network, and come with assurances that stringent guidelines are followed during the design and manufacturing process. Surveillance camera technology designed and manufactured in this way assures retailers that these security solutions will not be used as a backdoor into the network; such is the risk of introducing non-secured hardware. Addressing cybersecurity risks Key points covered in the retail whitepaper include: Review of cybersecurity challenges – Supply chain attacks, IoT vulnerabilities, the impact of operational downtime GDPR, data protection and privacy – Examining the necessary actions to ensure full compliance with the GDPR and DPA 2018 Video surveillance insights – Understanding how data analysis can inform security and business decisions, and supply chain evaluation Managing security effectively – Processes and tools to help the design, development and testing of systems in accordance with cybersecurity principles Converged security – A collaborative approach to addressing cybersecurity risks Video surveillance systems Many organisations have re-evaluated their entire strategy in order to ensure full GDPR compliance" “The retail industry is deemed the most at risk to cyber threats. It is crucial to find the balance between enhancing the customer experience and maintaining GDPR compliance; providing adequate security whilst not violating customer privacy,” says Graham Swallow, Retail segment lead, Northern Europe, Axis Communications. “While video surveillance systems are a necessity within the retail environment, many organisations have re-evaluated their entire strategy in order to ensure full GDPR compliance. Retailers must be able to rely on technologies that support their operational requirements and address associated risks, while at the same time, supporting IT security policies.” Connected physical security systems This whitepaper provides retailers with expert guidance, highlighting the appropriate policies and procedures around the cybersecurity of IoT devices, and reinforces the importance of selecting trusted vendors and partners. Axis is passionate about using technology to help create a smarter and safer world. This is demonstrated by a commitment to helping retailers understand the benefits of connected physical security systems that deliver on the promise of better protection of the business and customer.

Axis Communications, one of the market pioneers of network video technology, has received two accolades from security authorities in the form of Cyber Essentials Plus, a scheme operated by the National Cyber Security Centre, and Secure by Default self-certification, organised by the Surveillance Camera Commissioner, Tony Porter. The awards demonstrate Axis’ commitment to cyber security and its dedication to mitigating cyber risks within the products and services it provides. The UK Surveillance Camera Commissioner (SCC) launched earlier in 2019, a voluntary set of minimum requirements to ensure that surveillance cameras and components are manufactured in a way that is secure by design and secure by default. This is a key element of UK government policy on technological innovation having announced a £70m investment in making the UK a world leader in eliminating cyber threats to businesses and consumers by developing more resilient IT hardware, with security and protection designed directly into the hardware and chips. Contribution against cyber security attacks Security must be at the heart of our shared ambition for a smarter, safer world" Tony Porter, Surveillance Camera Commissioner for England and Wales said, “Congratulations to Axis Communications in self-certifying their products as ‘secure by default’. It has been an enlightening and positive experience working with manufacturers toward a common goal and it’s a genuine first and further requirements will follow over the next couple of years. The certification mark demonstrates to customers and stakeholders alike that the products listed on my website meet the new minimum requirements I expect in terms of cyber-secure surveillance camera products. This is exactly the leadership I expect from a company like Axis.” Axis’ full range of camera products have been certified including Companion Series, M Series, P Series, Q Series and F Series and will mean that Axis’ products make a significant contribution to improving the UK’s resilience against cyber security attacks via video surveillance systems. The requirements of the scheme are an important step forward for manufacturers, installers and users alike in providing the best possible assurance for stakeholders that products aren’t vulnerable to cyberattacks. Steven Kenny, Industry Liaison, Architecture & Engineering at Axis Communications, commented, "Security must be at the heart of our shared ambition for a smarter, safer world. It is imperative that every project is approached strategically within specific security standards and frameworks, and implemented with a Secure by Default philosophy. Axis played a part in the development of the new security requirement for surveillance cameras and we welcome it, and also look forward to working with the Surveillance Camera Commissioner to take this to the next level in the future.”

Axis Communications, a provider of network video technology, has announced the release of its latest whitepaper, Smart Buildings & Smart Cities Security. Authored in association with Virtually Informed and Unified Security, the whitepaper is the third in a series looking at specific aspects of security and provides an in depth review of the topic, addresses key questions and, importantly, provides recommendations that must be considered if the smart promise is to become a reality. Against the global backdrop of population growth, the strain on limited resources and climate change, there is a growing demand for businesses and governments around the world to deliver significant improvements in the way our cities and the buildings within them are managed. The promise of future cities and buildings built around a smart vision to reduce waste, drive efficiencies and optimise resources is a prodigious one with many inherent challenges, not least, security. Access to important and sensitive data Smart technology enables the collection and analysis of data to create actionable and automated eventsSmart technology enables the collection and analysis of data to create actionable and automated events that will streamline operations. To deliver this at far greater scale means bringing together a large number of very different systems and empowering them to communicate freely with access to important and often sensitive data. Device interoperability will be a crucial component of its success but to have full confidence in the way that these diverse ecosystems operate together, and to ultimately cede important decision-making to them, stakeholders must be fully confident in the security of the systems. The proliferation of IoT devices has witnessed in parallel an exponential increase in the number of threat exposures and attack vectors, which put in jeopardy the systems that our smart cities and buildings will rely on. With an ever-increasing number of cyber breaches and a common acknowledgment that ‘you are only as strong as your weakest link’, it is important that cybersecurity is considered and evaluated throughout the whole supply chain to protect data, maintain privacy and keep risk associated with cyber threats to a minimum. This process should always start by looking at device security and the vendors’ cyber maturity. Identifying vulnerabilities and mitigating damage Managing cybersecurity in environments of this scale involves drawing up thorough risk assessments that go right back through the supply chain. Identifying vulnerabilities and mitigating the potential for damage that they could cause. Axis’ Smart Buildings & Smart Cities Security whitepaper topics include: Smart cities and why we need them - Smart cities are increasingly playing a significant role in meeting today’s resource and population challenges Smart and intelligent technology - Smart devices, systems, buildings and cities defined – questions and issues around existing definitions are addressed Roles and responsibilities - Review stakeholder roles and security risk management to better understand the security issues associated with smart building systems Security challenges - Threat vectors are vast and varied with increasing levels of sophistication; understand the vulnerabilities, technologies and standards to be applied Recommendations - Getting started; security standards and frameworks; product strategy, system and solution security; supply and purchasing; and converged operations. Damages due to cybersecurity breach The associated disruption as a result of a cybersecurity breach of a smart system could be catastrophic. At a minimum, it would cause system downtime and impact its ability to operate. The loss of personal data or IP may also damage reputation, impact a company’s share price or even cause actual physical harm. Ensuring that converged security becomes a vital component of this rapidly changing paradigm is of critical importance; safety and security must be at the heart of the shared ambitions for a smarter environment. At Axis, we are passionate about using technology to help create a smarter and safer world" Steven Kenny, Industry Liaison, Architecture and Engineering at Axis Communications commented: “At Axis, we are passionate about using technology to help create a smarter and safer world. We also believe that technology should be used in an ethical and responsible way. You might say that this whitepaper reflects the very values of our business in that, used responsibly and with security front and centre, smart technology will help us address the big challenges of our time. Increased safety and security for all “Increasing efficiencies is vital in meeting carbon reduction targets and avoiding climate catastrophe. The smart vision provides a strong basis for economic growth and improved quality of life. We greatly admire the work that Virtually Informed and Unified Security are doing to help ensure that the worlds of physical and cyber security are aligned and working together to achieve a common goal of increased safety and security for all.” The whitepaper’s two authors have impressive credentials. James Willison is the founder of Unified Security Ltd and one of IFSEC Global’s top 20 Security thought leaders in the world. Sarb Sembhi is the CTO and CISO at Virtually Informed and has contributed on security projects for the likes of the London Chamber of Commerce and the Internet of Things Security Foundation. Mr. Sembhi also sits on the editorial board of SC magazine.