GDPR

Milestone XProtect Corporate 2019 R2 is the first major video management software product to obtain a complete GDPR-ready certification from EuroPriSe. XProtect Corporate 2019 R2 is the first major video management software product to obtain the highly sought-after EuroPriSe (European Privacy Seal) GDPR-ready certification. With the GDPR-ready certification from the independent and recognised institute EuroPriSe, end-users can be confident that they have the right foundation to build a GDPR compliant video surveillance installation. Video management installations GDPR is on par with, or in many cases tougher than these domestic regulations" The certification covers all core capabilities of Milestone XProtect Corporate, building on the native XProtect cyber security features. To help system integrators and end-users design, implement, and operate GDPR-compliant video management installations, Milestone Systems provides a holistic set of tools, including an extensive GDPR Privacy Guide with ready-to-use templates, as well as privacy awareness training for end-users. “While GDPR is an EU-centric regulation, data privacy is a concern in many parts of the world, where we see similar regulations coming into force. GDPR is on par with, or in many cases tougher than these domestic regulations, so the EuroPriSe GDPR-ready certification is of great importance to us. System integrators and end-users can rest assured that they have the right foundation on which to build GDPR-compliant solutions,” says Chief Technology Officer Bjørn Skou Eilertsen, Milestone Systems, and continues: Protect personal data captured “With the continuous technology evolution, video management products have become very powerful, which calls for a responsible use by end-customers. In 2017, Milestone Systems leaders joined more than 150 representatives from tech companies around the world in signing the Copenhagen Letter, a declaration that calls on tech companies to use technology in a responsible, human-centred way. Enabling our customers to protect personal data captured and processed by XProtect VMS systems is a natural extension of this commitment.” The GDPR-ready certification covers Milestone Systems’ top range product XProtect Corporate. The ambition is to certify the entire XProtect VMS product range, to allow all sizes of installations to build their video management installations on a proven GDPR-ready base. Video push functionality Other updates in the new XProtect 2019 R2 release include a simplified process of working with and getting test licenses, as they can now be obtained directly from the Milestone Customer Dashboard, allowing partners to evaluate, test, and demo XProtect for one year without having to purchase the software upfront. The 2019 R2 release includes enhancements to XProtect Mobile by adding audio support The 2019 R2 release also extends the capability of the existing audio support in the XProtect Web Client by adding support for broadcasting announcements to multiple camera-connected speakers at once, allowing personnel to use the XProtect Web Client to do mass communication when they want to warn a crowd or do promotional announcements. Also, the 2019 R2 release includes enhancements to XProtect Mobile by adding audio support to the innovative Video Push functionality. Manage device passwords With the addition of supporting audio, this completes the solution and allows users to create even stronger documentation of incidents, even as they happen. With the 2019 R2 release, it is possible to manage device passwords per device or per group of devices, directly from the XProtect Management Client. This provides an easier and faster way of securing the device security system and addressing potential vulnerabilities. Milestone Systems is taking yet another step forward in ensuring the best possible end-to-end security of XProtect by removing the ability to generate self-signed certificates in the XProtect Mobile Server and eliminating the option to use self-signed certificates in the XProtect Mobile client. This means that users can rest assured that XProtect Mobile complies with the highest security standard in the industry, with support for CA-signed certificates only.

UK organisations are failing to make progress towards strong cybersecurity and are facing paralysis as cybercriminals become more advanced. This is the conclusion drawn from the findings of the 2019 Risk:Value report – ‘Destination standstill. Are you asleep at the wheel?’ – from NTT Security, the specialised security company and centre of excellence in security for NTT Group. Examining the attitudes of 2,256 non-IT decision makers to risk and the value of security to the business, NTT Security’s annual Risk:Value report researches C-level executives and other senior decision makers across 20 countries in the Americas, Asia Pacific and Europe, including the UK, and from across multiple industry sectors. Impact of cyber attacks on businesses Almost all respondents in the UK believe that strong cybersecurity is important to their business over the next 12 monthsUK respondents are aware of the risks posed by cyber threats, with over half (54 per cent) ranking cyber attacks on their organisation as one of the top three issues that could affect businesses in the next 12 months – second only to ‘economic or financial crisis’ (56 per cent). While global organisations rank ‘loss of company data’ in third place, in the UK, 44 per cent believe that cyber attacks on critical infrastructure is a far greater threat. Of the most vulnerable components of critical national infrastructure, telecoms, energy and electricity networks take first, second and third place. Almost all (90 per cent) respondents in the UK believe that strong cybersecurity is important to their business over the next 12 months, compared to 78 per cent who say the same about ‘growing revenue and profit’, while 93 per cent believe cybersecurity has a big role to play in society. According to the report, strong cybersecurity allows UK organisations to ‘ensure the integrity of their data’ (58 per cent) and ‘ensure only the right people have access’ to this data (56 per cent), while around half say it ‘helps protect the brand’. Good and bad practice in cybersecurity Businesses in India, a new country to the research, are now the best performing in the world for cybersecurityFor each organisation in the research for the last two years, NTT Security has analysed the responses for good and bad practice in cybersecurity, with good practice awarded positive scores and bad practice awarded negative scores. The results show a worrying lack of progress globally: in 2019 as in 2018, the average score was just +3, meaning that there is nearly as much bad practice as good practice. Thirty-two per cent of businesses score less than zero: that is, they are exhibiting more bad practice than good practice. Businesses in India, a new country to the research, are now the best performing in the world for cybersecurity, ahead of the UK. The performance of organisations in France, Germany and Singapore has worsened in the last year, as has the performance of the financial services, telecommunications, chemicals, pharmaceuticals, oil and gas and private healthcare sectors, placing doubt on the robustness of critical national infrastructure. Areas where UK organisations are stalling Paying cybercriminals: A third (33 per cent) of UK respondents say that they would rather pay a ransom to a hacker than invest more in security because it would be cheaper, a significant rise of 12 per cent over 2018’s Risk:Value report. In addition, 34 per cent said they would rather pay a ransom to a hacker than get a fine for non-compliance of data regulations. Budgets: Security budgets in the UK are potentially failing to keep up with increasing cyber risk, with the percentage of IT budget attributed to security (15 per cent) in line with the global average. The percentage of operations budget spent on security has fallen by around 1 per cent since 2018, to 16.5 percent in 2019. GDPR compliance: Just 30 per cent globally believe they are subject to GDPR, a year on from the deadline, despite it affecting all organisations that have operations or customers in any European Union member state. The UK is a more respectable 48 per cent – still behind Spain (55 per cent) and Italy (50 per cent). Internal security policies: Businesses are still failing to be proactive internally. At a global level, 58 per cent have a formal information security policy in place, just 1 per cent up over last year. While the UK shows an impressive 70 per cent with a policy in place, this is down on last year’s 77 per cent. Less than half (47 per cent), however, admit that their employees are fully aware of such a policy. Incident response plans: In 2019, 60 per cent of UK organisations have an incident response plan in place in the event of a security breach, a 3 per cent drop. However, this is still above the global average of 52 per cent and among the highest figures across all 20 countries. Blaming IT: Around half (44 per cent) of UK respondents believe cybersecurity ‘is the IT department’s problem and not the wider business’, which is in line with the global average of 45 per cent. While Swedish organisations are most likely to blame IT (60 per cent), Brazil is least likely (28 per cent) to do so. Time spent on recovery from cyber breach The cost of recovering from a breach is estimated to be $1.2 million in the UK, matching the global averageThe 2019 Risk:Value report reveals that the time spent on recovering from a cyber breach continues to rise year on year, with UK respondents estimating that it will take 93 days on average to recover. The UK figure is a significant rise of nearly double over last year’s estimated 47 days. The UK now ranks as one of the highest figures globally compared to one of the lowest in 2018. The cost of recovering from a breach is estimated to be $1.2 million in the UK, matching the global average. Notably in the Nordics, costs are predicted to be much higher, with Norway at $1.8 million and Sweden in first place with expected recovery costs for a business suffering a breach of $3 million. Oil & Gas is the industry sector having to spend the most on recovery efforts to the tune of $2.3 million. The estimated loss in revenue in percentage terms is up year on year in the UK – 12.9 per cent, up from 9.7 per cent in 2018, and in line with the global average of 12.7 per cent. Integration of new technologies The execution of cybersecurity strategies must improve or business risk will escalate for the organisations concerned"Commenting on the 2019 findings, Azeem Aleem, VP Consulting, NTT Security, says: “The Risk:Value report is an interesting barometer based on responses from those sitting outside of the IT function – and is often very revealing. What’s clear is that the world around them is changing, and changing fast, with the introduction of new regulations, integration of new technologies and fast-paced digital transformation projects changing the way we work. "What’s concerning though is that organisations seem to have come to a standstill in their journey to cybersecurity best practice – and it’s particularly worrying to see UK businesses falling behind in some critical areas like incident response planning. “Decision makers clearly see security as an enabler; something that can help the business and society in general. But while awareness of cyber risks is high, organisations still lack the ability, or perhaps the will, to manage them effectively. The execution of cybersecurity strategies must improve or business risk will escalate for the organisations concerned.”

Ping Identity, the pioneer in Identity Defined Security, announced a significant update to PingOne for Customers, the cloud-delivered Identity-as-a-Service (IDaaS) offering built for developers. The API-first solution can now deliver seamless and secure push notifications from custom mobile applications that can be used for passwordless and advanced multi-factor authentication. The cloud identity solution helps development teams speed time to launch their applications, while also taking security concerns off their plates and letting them maintain customisation and control over their user experiences. This release marks another milestone for PingOne for Customers that makes embedding secure identity services— login, registration, multi-factor authentication and others — into applications easier than ever. Application developers using PingOne for Customers can now: Convenient and secure authentication factor These push notifications are a more convenient and secure authentication factor than SMS or email OTPsPingOne for Customers is now equipped with a mobile SDK that allows development teams to send push notifications to custom mobile applications for multi-factor authentication (MFA). These push notifications are a more convenient and secure authentication factor than SMS or email one-time passwords (OTPs). Push notifications to custom mobile apps also can be used to achieve strong passwordless authentication, allowing consumers to skip using a password entirely. Social login through different methods PingOne for Customers now has authentication APIs for social login and registration with Facebook. Application teams can add one-click registration and login into their user interfaces in any manner they see fit. They can embed a social login button or link in a hidden dropdown, or lead users directly to it if it’s the method of login they prefer their consumers to use. Social login — like other elements of PingOne for Customers’ authentication APIs — gives development teams full control over their consumer authentication experiences. Login using SAML identity providers PingOne for Customers can now accept inbound SAML assertions and support just-in-time provisioning. This capability helps enable enterprises to route all customer logins through a single sign-on (SSO) experience. This allows enterprises to achieve federated SSO across their entire application portfolio and connect to their largest customers, thus enabling their customers to reuse their existing identities without worrying about tedious onboarding and identity management tasks. Storing data in an EU data centre This helps ensure compliance with data sovereignty and regulations such as GDPRThe solution has added a dedicated data centre in the European Union, giving enterprises confidence that user data added to the EU data centre is completely isolated from users living in other parts of the world. This helps ensure compliance with data sovereignty and regulations such as GDPR, which restricts the allowance of EU citizens’ personal data being sent out of the EU.  Securely getting identity into applications “When PingOne for Customers launched, it took a huge step forward in allowing development teams within large enterprises to quickly and securely get identity into their applications,” said Steve Shoaff, chief product officer, Ping Identity. “This latest release builds on that ease-of-use. It drastically expands the use cases PingOne for Customers can support and enhances critical features that allow development teams to build secure experiences to really wow their consumers.”

Tavcom Training, part of Linx International Group and IFSEC’s education partner, revealed details of the 24 free-to-attend and CPD-accredited education sessions, which will be presented at the Future of Security Theatre (Stand: IF3140), this year at IFSEC International in London. Tavcom Training has compiled an education programme that addresses many of the most talked about trends and issues amongst security practitioners. Topics being presented by Tavcom Training’s expert tutors include how to counteract the menace of cybercrime, the impact of artificial intelligence on electronics security, future-proofing CCTV networks and improving security through integration. Cybersecurity best practices guidance The BSIA will also join Tavcom Training in the theatre to provide cybersecurity best practices guidanceSessions will also be dedicated to the threat of drone attacks and available countermeasures, the hackability of autonomous vehicles, and whether the security sector is ready for 5G, as mobile operators begin switching on UK networks this year. Also, with issues regarding the use of facial recognition currently hitting the headlines and a year on from the introduction of GDPR, the challenge of running effective video surveillance that balances privacy and security will be debated. The BSIA will also join Tavcom Training in the theatre to provide cybersecurity best practices guidance, whilst the SSAIB will deliver an intruder alarm standards update involving PD6662. Learning to address the security issues Tavcom Training is proud to once again be IFSEC’s education partner and Head of Sales Andrew Saywell, comments: “This year, we have put together a packed programme of the most pertinent topics, delivered by world-leading subject matter experts. Over the three-days, we are offering security practitioners an unmissable opportunity to learn how they can address the issues affecting them today, whilst readying them for what lies ahead.” The Future of Security Theatre will open at 10.45am each day of IFSEC International with an introduction to the Certified Technical Security Professional (CTSP) Register, which is operated by Tavcom Training and supported by the BSIA and SSAIB. CTSP is a publicly searchable online Register of those fulfilling technical roles including installation, maintenance and commissioning of technicians/engineers, auditors and consultants. It is an important initiative that is helping to raise standards throughout the sector.

The world's first fully managed Video Surveillance as a Service (VSaaS) system - Ocucon - has announced that it will provide a free CCTV hardware upgrade for customers of its cloud-based storage as it launches a first-of-its-kind zero capital expenditure model. Breaking new ground in surveillance technology, Ocucon delivers a powerful, cloud-based storage and retrieval platform, combining intelligent data analytics with the facility to store, analyse and retrieve unlimited amounts of HD video surveillance footage from within the Ocucon portal. We’re now able to offer customers the benefits of new CCTV hardware alongside our industry-leading cloud storage"In an industry first, the surveillance technology start-up has announced that customers of its standard cloud-based storage package will now be able to upgrade their CCTV infrastructure at no additional cost. With Ocucon already in talks with 6 out of 10 of the largest retailers in the world, the new business model is expected to further increase demand. Removing hardware costs completely Ocucon Co-Founder Gary Trotter commented: “Whereas some SaaS providers talk about removing upfront costs for hardware but add these in elsewhere, our new Ocucon business model removes hardware costs completely. From the outset, Ocucon’s aim has been to break new grounds in surveillance technology and revolutionise the way in which businesses and organisations record, store and access their CCTV footage. “We know that many businesses are struggling with legacy CCTV systems that are costly to replace and prevent them from utilising industry-leading software and analytics. By working closely with our partners and reimagining the typical surveillance business model, we’re now able to offer customers the benefits of new CCTV hardware alongside our industry-leading cloud storage, with zero capital expenditure from the customer.” Defending against fraudulent cases of slips Ocucon’s innovative pixelation service delivers intelligent cloud-based video redaction tools for GDPR complianceLaunched in October 2017, Ocucon’s award-winning technology revolutionises the ability of businesses to defend against fraudulent cases of slips, trips and falls – currently estimated to cost the UK economy alone more than £800 million a year – by removing physical limitations on the amount of surveillance footage an organisation can save. Since its launch, Ocucon has seen significant interest in both the UK and US and has been recognised by leading UK business awards for its digital technology innovation. Last year, the North East-based firm also launched Ocucon Pixelate. Harnessing the power of artificial intelligence and machine learning, Ocucon’s innovative pixelation service delivers intelligent cloud-based video redaction tools for General Data Protection Regulation (GDPR) compliance. Ocucon recently announced that Pixelate will be launching automatic full body redaction as part of a second generation roll out of its intuitive web-based software. The pioneering new technology will allow users to simply select the people they do not wish to pixelate before footage is automatically redacted in a matter of seconds.

The Boring Lab announced that The Boring Toolbox, a set of performance and maintenance tools to help customers more efficiently manage Milestone Systems’ XProtect video surveillance networks, has added key features for enterprise and large-scale sites with 5,000+ cameras and 100,000+ devices. The Boring Toolbox V3 offers a smoother user experience and optimised performance features, both of which were necessary to support larger installations. The Boring Toolbox allows customers to maintain a higher level of security through streamlining management tools (including bulk password changing, camera settings modifications across dissimilar devices, and providing optimised and hassle-free report generation in Excel). The Boring Toolbox assists in data protection regulation compliance, such as GDPR Assists in data protection regulation In addition, The Boring Toolbox assists in data protection regulation compliance, such as GDPR, since customers can manage medium-to-large scale datasets within VMS systems, rather than having to work on each device separately. Enhancements to Boring Toolbox V3 include: Optimised to reduce loading times of the application by 85% Optimised for large data sets of 4000+ device groups, 100,000+ devices Optimised generating camera report by approximately 60% Bulk IP address updating Compatible with Sivelliance VMS The Boring Toolbox can now manage camera deployments from Arecont, Axis, Hanwha, Sony and BoschThe Boring Toolbox is now compatible with new systems and devices. Siemens Building Technology verified that it is compatible with Sivelliance VMS (video management system). The Boring Toolbox can now manage camera deployments from Arecont, Axis, Hanwha, Sony and Bosch. “The initial release of The Boring Toolbox has been applauded by the Milestone community. After coming off of our recent win as Milestone Solution Partner of the year, we’ve delivered Version 3 to support larger enterprise installations tackle surveillance network issues around cybersecurity and GDPR compliance,” said Ronen Isaac, CEO of The Boring Lab. “Additional integrations with Siemens and camera manufacturers further extends the Boring Toolbox’s value and our promise to make Milestone installations less boring to manage.” The Boring Toolbox V3 is available immediately. Visit The Boring Lab at ISC West in the Milestone Partner Pavilion at booth # 18053.

There’s a lot of hype around the term ‘digital transformation.’ For some, it’s the integration of digital technology into everyday tasks. For others, it’s the incorporation of innovative processes aimed at making business optimisation easier. In most cases, digital transformation will fundamentally change how an organisation operates and delivers value to its customers. And within the security realm, the age of digital transformation is most certainly upon us. Technology is already a part of our day-to-day lives, with smart devices in our homes and the ability to perform tasks at our fingertips now a reality. No longer are the cloud, Internet of Things (IoT) and smart cities foreign and distant concepts full of intrigue and promise. Enhancing business operations We’re increasingly seeing devices become smarter and better able to communicate with each other These elements are increasingly incorporated into security solutions with each passing day, allowing enterprises the chance to experience countless benefits when it comes to enhancing both safety and business operations. The term ‘connected world’ is a derivative of the digital transformation, signifying the increasing reliance that we have on connectivity, smart devices and data-driven decision-making. As we become more familiar with the advantages, flaws, expectations and best practices surrounding the connected world, we can predict what issues may arise and where the market is heading. We’re increasingly seeing devices become smarter and better able to communicate with each other through the IoT to achieve both simple goals and arduous tasks. Within our homes, we’re able to control a myriad of devices with commands (‘Hey Google...’ or ‘Alexa...’), as well as recall data directly from our mobile devices, such as receiving alerts when someone rings our doorbell, there’s movement in our front yard or when a door has been unlocked. Analytics-driven solutions The focus is now shifting to the business impacts of connectivity between physical devices and infrastructures, and digital computing and analytics-driven solutions. Within physical security, connected devices can encompass a variety of sensors gathering massive amounts of data in a given timeframe: video surveillance cameras, access control readers, fire and intrusion alarms, perimeter detection and more.As the data from each of these sensors is collected and analysed through a central platform, the idea of a connected world comes to fruition, bringing situational awareness to a new level and fostering a sense of proactivity to identifying emerging threats. The connected world, however, is not without its challenges, which means that certain considerations must be made in an effort to protect data, enhance structured networking and apply protective protocols to developing technology. Physical security systems We can expect to see the conversations regarding data privacy and security increase as well As the use of connected devices and big data continue to grow, we can expect to see the conversations regarding data privacy and security increase as well. Connectivity between devices can open up the risk of cyber vulnerabilities, but designing safeguards as technology advances will lessen these risks. The key goal is to ensure that the data organisations are using for enhancement and improvements is comprehensively protected from unauthorised access. Manufacturers and integrators must be mindful of their products' capabilities and make it easy for end users to adhere to data sharing and privacy regulations. These regulations, which greatly affect physical security systems and the way they're managed, are being implemented worldwide, such as the European Union's General Data Protection Regulation (GDPR). In the United States, California, Vermont and South Carolina have followed suit, and it can be expected that more countries and U.S. states develop similar guidelines in the future. Technology is already a part of our day-to-day lives, with smart devices in our homes and the ability to perform tasks at our fingertips now a reality Automatic security updates Mitigating the concerns of the ‘connected world’ extends beyond just data privacy. IoT technology is accelerating at such a pace that it can potentially create detrimental problems for which many organisations may be ill-prepared - or may not even be able to comprehend. The opportunities presented by an influx of data and the IoT, and applying these technologies to markets such as smart cities, can solve security and operational problems, but this requires staying proactive when it comes to threats and practicing the proper protection protocols. As manufacturers develop devices that will be connected on the network, integrating standard, built-in protections becomes paramount. This can take the form of continuous vulnerability testing and regular, automatic security updates. Protocols are now being developed that are designed to ensure everything is encrypted, all communications are monitored and multiple types of attacks are considered for defensive purposes to provide the best security possible. IoT-connected devices Hackers wishing to do harm will stop at nothing to break into IoT-connected devices Built-in protection mechanisms send these kinds of systems into protection mode once they are attacked by an outside source. Another way for manufacturers to deliver solutions that are protected from outside threats is through constant and consistent testing of the devices long after they are introduced to the market. Hackers wishing to do harm will stop at nothing to break into IoT-connected devices, taking every avenue to discover vulnerabilities. But a manufacturer that spends valuable resources to continue testing and retesting products will be able to identify any issues and correct them through regular software updates and fixes. ‘IoT’ has become a common term in our vocabularies and since it’s more widely understood at this point and time, it's exciting to think about the possibilities of this revolutionary concept. Providing critical insights The number of active IoT devices is expected to grow to 22 billion by 2025 — a number that is almost incomprehensible. The rise of 5G networks, artificial intelligence (AI) and self-driving cars can be seen on the horizon of the IoT. As more of these devices are developed and security protocols are developed at a similar pace, connected devices stand to benefit a variety of industries, such as smart cities. Smart cities rely on data communicated via the IoT to enhance processes and create streamlined approaches Smart cities rely on data communicated via the IoT to enhance processes and create streamlined approaches to ensuring a city is well-run and safe. For example, think of cameras situated at a busy intersection. Cameras at these locations have a variety of uses, such as investigative purposes in the event of an accident or for issuing red-light tickets to motorists. But there are so many other possible purposes for this connected device, including providing critical insights about intersection usage and traffic congestion. These insights can then be used to adjust stoplights during busy travel times or give cities valuable data that can drive infrastructure improvements. Physical security market The impact of connected devices on cities doesn’t stop at traffic improvement. The possibilities are endless; by leveraging rich, real-time information, cities can improve efficiencies across services such as transportation, water management and healthcare. However, stringent protections are needed to harden security around the networks transmitting this kind of information in an effort to mitigate the dangers of hacking and allow this technology to continuously be improved. Whether you believe we’re in the midst of a digital transformation or have already completed it, one thing is certain: businesses must begin thinking in these connectivity-driven terms sooner rather than later so they aren’t left behind. Leveraging smart, connected devices can catapult organisations into a new level of situational awareness, but adopting protections and remaining vigilant continues to be a stalwart of technological innovation within the physical security market and into the connected world.

In the next three years, software as a service ‘SaaS’ is likely to grow by around 23%. That’s according to reports by Cognizance. It’s growth rests on the adoption of cloud public, private and hybrid. Without the cloud applications can’t truly pervade an organisation, nor can operational or customer benefits be derived. But there’s no point in adopting the cloud if it’s not secure - the proliferation of SaaS demands security, none more so in a GDPR world. Large cloud environment But modern applications are difficult to secure. SaaS based, web, mobile, or custom made all work on different platforms and frameworks. It’s a headache managing all the APIs needed to automate and sync tools. This introduces risk. The greater the number of apps the broader the attack surface and therefore the greater the chance there will be blind posts. Keeping up to date with updates and new security policies is never easy There are also added hazards. Applications are always changing. Keeping up to date with updates and new security policies is never easy, but especially hard in a large cloud environment. Failure to adopt changes puts the organisation and customers at further risk. But the biggest obstacle is keeping applications and APIs out of harm’s way. It’s a near on impossible task when attack methods and sources are constantly changing. More advanced threats To be specific there are four emerging challenges when it comes to protecting apps. Firstly, managing the good and the bad bots and spotting which is which, secondly securing APIs as IoT adoption intensifies, thirdly the relationship between securing apps and DevOps and ensuring ownership of security, and finally denial of service attacks that use newer tactics such as brute force. Basic security hygiene dictates that security teams refer to the OWASP Top 10. It’s considered the ‘ten commandments’ in security circles, providing a starting point for ensuring the most common threats and vulnerabilities are managed, detected and mitigated. Web Application Firewalls also come into the fray with guidance on testing for the ways hackers exploit vulnerabilities. However, though the basics are good to have in place, there are always more advanced threats to take care of. Bots being a big one. Bot management The more sophisticated bots will go as far as to mimic human behaviourAstonishingly about half of internet traffic is bot generated. Half of it is from bad bots. Discerning the good from the bad isn’t easy though and explains why around 80% of organisations can’t make a clear distinction between the two. Bad bots can do a lot of damage like take over user accounts and payment information, scrape confidential data, or hold up inventory and skew marketing metrics. The more sophisticated bots will go as far as to mimic human behaviour and bypass tools like CAPTCHA and even device fingerprinting based protection ineffective. Securing APIs Then there’s the complications derived from machine-to-machine and internet of things (IoT) communications. The more integrated ‘things’, the more data there is, the more events there are report on, and the more activity there is reliant on APIs to make the ‘things’ useful and agile. That’s what makes them a target and the threats to API vulnerabilities include injections, protocol attacks, parameter manipulations, invalidated redirects and bot attacks. There’s the risk that business will grant access to sensitive data, without inspecting nor protecting APIs to detect cyberattacks.   There’s the risk that business will grant access to sensitive data, without inspecting nor protecting APIs to detect cyberattacks Denial of service (DoS) You might think there’s little to add to the swathes of denial of service warnings. Yet when businesses are still being targeted and feeling the ill effects it’s worth mentioning again that different forms of application-layer DoS attacks are still very effective at bringing application services down. Even the greatest application protection is worthless if the service itself can be knocked down This includes HTTP/S floods, low and slow attacks (famous examples being Slowloris, LOIC, Torshammer), dynamic IP attacks, buffer overflow, Brute Force attacks and more. The IoT botnets are the culprits and have made application-layer attacks so popular that they have become the preferred DDoS attack vector. Even the greatest application protection is worthless if the service itself can be knocked down. Continuous security It may seem easy to say but for modern DevOps, agility is valued at the expense of security. We see time and again examples of where development and roll-out methodologies, such as continuous delivery, mean applications are exposed to threats each time they are modified. There’s no doubt it is extremely difficult to maintain a valid security policy and protect sensitive data in dynamic conditions without creating a high number of false positives. But we now find that this task has gone way beyond the capability of humans. Organisations now need machine-learning based solutions that map application resources, analyse possible threats, and create and optimise security policies in real time. Reaching this level in security planning should be a big wake-up call that security automation is an essential not a nice to have. Running security plans The board needs to know that investment is critical to protect their profits It’s critical that the security solution your company adopts protects applications on all platforms, against all attacks, through all the channels and at all times. The board needs to know that investment is critical to protect their profits. As such there are six things they need to know: Application security solutions must encompass web and mobile apps, as well as APIs. Bot management solutions need to overcome the most sophisticated bot attacks. DDoS mitigation must be an essential and integrated part of application security solutions. A future-proof solution must protect containerised applications, severless functions, and integrate with automation, provisioning and orchestration tools. To keep up with continuous application delivery, security protections must adapt in real time. A fully managed service should be considered to remove complexity and minimise resources. No amount of human power will beat the bots. That last point is the most critical. Skill is essential in designing and running security plans and policies that work. But the plans can’t be executed without automated tools. There are just too many decisions to make in a split second. Combining both is the path to an effective app protection strategy and a stronger brand to boot.

The past decade has seen unprecedented growth in data creation and management. The products and services that consumers use every day – and the systems businesses, large and small, rely on – all revolve around data. The increasing frequency of high-profile data breaches and hacks should be alarming to anyone, and there’s a danger data security could worsen in the coming years. According to DataAge 2025, a report by IDC and Seagate, by 2025, almost 90% of all data created in the global datasphere will require some level of security, but less than half of it will actually be secured. Nuanced approach to data security Security is a circle, not a line. Every actor involved in the handling and processing of data has responsibility for ensuring its securityThe rapid proliferation of embedded systems, IoT, real-time data and AI-powered cognitive systems – as well as new legislation like the European Union’s GDPR – means that data security has to be a priority for businesses like never before. With data used, stored and analysed at both the hardware and software level, we need a new and more nuanced approach to data security. Security is a circle, not a line. Every actor involved in the handling and processing of data has responsibility for ensuring its security. What this means in practice is renewed focus on areas of hardware and software protection that have previously not been top of mind or received large amounts of investment from businesses, with security at the drive level being a prime example. The importance of data-at-rest encryption In a world where data is everywhere, businesses need always-on protection. Data-at-rest encryption helps to ensure that data is secure right down to the storage medium in which it is held in a number of ways. Hardware-level encryption, firmware protection for the hard drive, and instant, secure erasing technology allow devices to be retired with minimal risk of data misuse. Data-at-rest encryption helps to ensure that data is secure right down to the storage medium in which it is held in a number of ways A recent report from Thales Data Threat found that data-at-rest security tools can be a great way to help protect your data. However, it’s important to note that this must be used in conjunction with other security measures to ensure that those that fraudulently gain access to your key management system can’t access your data. Ensuring drives to be Common Criteria compliant One straightforward test any business can do to ensure its storage is as secure as possible is to check whether the drives are Common Criteria compliantDespite the clear benefits, this kind of encryption lags behind other areas, such as network and endpoint security, in terms of the investment it currently receives. The same Thales Data Threat report found that data-at-rest security was receiving some of the lowest levels of spending increases in 2016 (44%), versus a 62% increase for network and a 56% increase for endpoint security. One straightforward test any business can do to ensure its storage is as secure as possible is to check whether the drives are Common Criteria compliant. Common Criteria is an international standard for computer security certification, and drives that meet this standard have a foundational level of protection which users can build on. Providing an additional layer of security The retail industry has seen a spate of security breaches recently, with several major US brands suffering attacks over the busy Easter weekend this year. As frequent handlers of consumer card information, retailers are particularly vulnerable to attack. Data-at-rest encryption could enhance security in these instances, providing an additional layer of security between customer records and the attacker The advanced threats retailers face can often evade security defences without detection. Such a breach could grant attackers unrestricted access to sensitive information for possibly months – some breaches are known to have been detected only after consumer payment details appeared on the dark web. These types of undetected attacks are highly dangerous for retailers, which are relatively helpless to protect consumer information once their defences have been compromised. Data-at-rest encryption could significantly enhance security in these instances, providing an additional layer of security between customer records and the attacker which has the potential to make the stolen data valueless to cyber criminals. Industries in need of data-at-rest encryption Healthcare organisations, which hold highly sensitive customer and patient information, have a strong use case for data-at-rest encryption. With the widespread adoption of electronic patient health records, that data is increasingly more vulnerable to attack. Recent research from the American Medical Association and Accenture revealed that 74% of physicians are concerned over future attacks that may compromise patient records. With the widespread adoption of electronic patient health records, that data is increasingly more vulnerable to attack The financial sector would also benefit from further investment in data-at-rest encryption, given 78% of financial services firms globally are planning on increasing their spending on critical data, according to Thales’ Data Threat Report. It’s helpful to view security as a circle in which every piece of hardware and software handling the data plays its part SMEs and enterprises are not immune to security threats either – with growing numbers of people traveling for work or working remotely, the risk of sensitive business data becoming exposed via device theft is heightened. Usernames and passwords have little use if thieves can simply remove unencrypted hard drives and copy data across. Securing every hardware and software Technology vendors often focus on aspects of hardware and application security that are within their control. This is understandable, but it risks proliferating a siloed approach to data security. There is no single line for data security -- rather, it’s helpful to view it as a circle in which every piece of hardware and software handling the data plays its part. There’s a clear need for more industry dialogue and collaboration to ensure data security is effectively deployed and connected throughout the security circle and across the value chain.

Police in the United Kingdom have been testing the effectiveness of live facial recognition (LFR) for several years now, but future uses of the technology have been called into question. The Information Commissioner’s Office (ICO), an independent authority that seeks to uphold information rights in the public interest, has weighed in on issues of data privacy related to LFR, and Members of Parliament (MPs) have called for a moratorium on uses of the technology. The big question is whether the benefits of LFR outweigh its impact on privacy rights. Live facial recognition I believe that there needs to be demonstrable evidence that the technology is necessary" The House of Commons Science and Technology Committee has expressed concerns about bias, privacy and accuracy of facial recognition systems and urged the U.K. government to issue a moratorium on further live facial recognition trails until regulations are in place to address bias and data retention. According to Elizabeth Denham, U.K. Information Commissioner: “[Police trials of LFR] represent the widespread processing of biometric data of thousands of people as they go about their daily lives. And that is a potential threat to privacy that should concern us all.” Denham says live facial recognition (LFR) is a high priority area for ICO. “I believe that there needs to be demonstrable evidence that the technology is necessary, proportionate and effective considering [its] invasiveness,” she says. Potential public distrust “Any organisation using software that can recognise a face amongst a crowd and then scan large databases of people to check for a match in a matter of seconds, is processing personal data,” says Denham. General Data Protection Regulation (GDPR) wording specifies biometric data as a ‘sensitive’ category of personal information. London’s Metropolitan Police Service performed 10 trials of live facial recognition at various venues in 2016, 2017 and 2018. The London Police Ethics Panel reviewed the trials and concluded that additional use of the technology would be supported if certain conditions were met. One condition is if the “overall benefits to public safety [are] great enough to outweigh any potential public distrust in the technology.” Each deployment should be assessed and authorised as necessary and proportionate. Operators should be trained to understand associated risks and to be accountable, and there should be evidence that the technology does not promote gender or racial bias. Develop strict guidelines Met Police used NEC’s NeoFace technology to analyse images of the faces of people on a watch list The Ethics Panel also specified that both the Metro Police and Mayor’s Office for Policing and Crime should develop strict guidelines to ensure that deployments balance the benefits of the technology with the potential intrusion on the public. “We want the public to have trust and confidence in the way we operate as a police service, and we take the report’s findings seriously,” said Detective Chief Superintendent Ivan Balhatchet, who led the trials.  In its 10 trials of live facial recognition, Met Police used NEC’s NeoFace technology to analyse images of the faces of people on a watch list. The system measured the structure of each face, including distance between eyes, nose, mouth and jaw to create facial data, which was used to match against the watch list. The system only kept faces matching the watch list, and only for 30 days. Non-matches are deleted immediately. More accurate identification An independent review of the trials, commissioned by the Metropolitan Police, concluded it is ‘highly possible’ that the Met’s ‘trial’ deployments would not satisfy the key legal test of being considered ‘necessary in a democratic society’ if challenged in the courts, according to U.K. human rights advocacy group Liberty. South Wales Police have partnered with NEC to formally pilot facial recognition technology. NEC’s real-time solution enables trained officers to monitor movement of people at strategic locations. “Facial recognition technology enables us to search, scan and monitor images and video of suspects against offender databases, leading to faster and more accurate identification of persons of interest,” says Assistant Chief Constable Richard Lewis. “The technology can also enhance our existing CCTV network in the future by extracting faces in real time and instantaneously matching them against a watch list of individuals, including missing people.” U.K. human rights advocacy group Liberty has taken legal action on behalf of one Cardiff resident against South Wales Police Intrusive technology “We are very cognisant of concerns about privacy, and we are building in checks and balances into our methodology to reassure the public that the approach we take is justified and proportionate,” says Lewis. U.K. human rights advocacy group Liberty has taken legal action on behalf of one Cardiff resident against South Wales Police over its use of facial recognition. “Facial recognition is an inherently intrusive technology that breaches our privacy rights,” says lawyer Megan Goulding at Liberty. “It risks fundamentally altering our public spaces, forcing us to monitor where we go and who with, seriously undermining our freedom of expression.” ICO’s Denham says any judgment resulting from the legal action will form an important part of ICO’s investigation and will be considered before ICO’s final findings are published. Information management South Wales Police offers the following assurance: “Data will only be retained as long as is necessary for a policing purpose, as per guidance within the Authorised Policing Practice on information management.” Facial recognition systems are yet to fully resolve their potential for inherent technological bias" One concern is that live facial recognition ‘discriminates’ against women and people of colour because it disproportionately misidentifies them, thus making them more likely to be subject to a police attention. ICO’s Elizabeth Denham comments: “Facial recognition systems are yet to fully resolve their potential for inherent technological bias; a bias which can see more false positive matches from certain ethnic groups.” Taking regulatory action ICO has also considered data protection ramifications of commercial companies using LFR. Denham says: “The technology is the same and the intrusion that can arise could still have a detrimental effect. In recent months, we have widened our focus to consider use of LFR in public spaces by private sector organisations, including where they are partnering with police forces. We will consider taking regulatory action where we find non-compliance with the law.” A 27-page U.K. Home Office Biometrics Strategy sets out an overarching framework within which organisations in the Home Office sector will consider and make decisions on the use and development of biometric technology. However, Biometrics Commissioner Paul Wiles says the document “doesn’t propose legislation to provide rules for the use and oversight of new biometrics, including facial images. Given that new biometrics are being rapidly deployed or trialed, this failure to set out more definitively what the future landscape will look like in terms of the use and governance of biometrics appears to be short-sighted.”

Time for an indepth review of IFSEC 2019 in London. This show had fewer exhibitors than previous shows, and the ‘vibe’ was definitely more low-key. Fewer exhibitors meant larger aisles and plenty of room to breathe, and the slower pace provided time for exhibitors to reflect (often negatively) on the return on investment (ROI) of large trade shows. There was little buzz on the first day of the show, but spirits picked up on the second day (when, not coincidentally, some exhibitors served drinks to attendees at their stands). Enterprise security solutions One eye-catcher was smart wireless security provider Ajax Systems’ stylish black stand Many exhibitors compared IFSEC unfavourably to ISC West in the United States and even to Intersec in Dubai. Others seemed willing to be lured back to Birmingham (previous location for IFSEC) to participate in the upstart competitor, The Security Event, next spring. However, not all the IFSEC 2019 reviews were negative. Vaion made the most of their small stand toward the back of the hall. They experienced brisk traffic right up until the end of the show. Happy with the response, the provider of real-time enterprise security solutions reportedly has already committed to IFSEC 2020. Other exhibitors also made the most of their space at IFSEC; one eye-catcher was smart wireless security provider Ajax Systems’ stylish black stand. Vaion made the most of their small stand toward the back of the hall Latest new products Nedap launched a new product, AEOS 2019.1, that is five time faster and more stable than its predecessor. It uses HTML5 – no more reliance on Adobe. Feedback has been good. The company has also increased its integration of open security standards (OSS). Traka showcased smart lockers, which are modular, scalable, and staff can easily replace broken equipment. Product features can be adapted to specific sectors (i.e., retail, prisons). Traka spends 30% of its revenue on research and development, developing their own engineering. The company has seen massive growth in the UK and Europe. Hanwha Techwin lured visitors into the center of their stand with drinks and ice cream, surrounded by the latest new products. Hanwha promoted their investment in a manufacturing facility in Vietnam and showcased Wisenet cameras with enhanced 4K images, digital auto tracking, and less motion blur for clearer images. Video verification product A multi-sensor model captures wide areas with a single camera. Hanwha also offered some value-priced cameras that feature easy self-install and are swappable. Optex launched a new product called ‘the Bridge’, a video verification product that bridges CCTV on a digital video recorder (DVR) to intruder alarms. Hanwha showcased Wisenet cameras with enhanced 4K images UK Surveillance Camera Commissioner Tony Porter announced ‘Security By Default’, a set of minimum requirements that will guarantee users that network video security products are as secure as possible in their default settings right out of the box. Hikvision promoted their support for Secure by Default and expressed hopes the initiative would be embraced by other companies and create a new best practice for camera cybersecurity. Hikvision also promoted their retail solution, which includes on-site redaction for GDPR compliance, shelf detection incorporating artificial intelligence, and use of heat mapping to analyse customer foot traffic. Generating revenue Safety and Security Things (SAST), another IFSEC exhibitor, is in the process of creating an ‘app store’ for the security market. Striving to achieve critical mass with participation by a wide range of systems integrators and manufacturers, SAST has a goal of launching to the public in Q1 next year in time for ISC West. Hanwha Techwin is among the players that have already joined the alliance A pilot version will debut this autumn, and they already have 26 apps and six camera manufacturers toward that goal. With a staff of 120, mostly based in Munich, SAST expects to begin generating revenue in 2020 and to grow rapidly. An investment by Bosch is financing start-up operations. Open Security & Safety Alliance (OSSA) is creating standards and a platform to enable the sale of apps in the security market. Large industry players Hanwha Techwin is among the players that have already joined the alliance, and OSSA is seeking to add other large companies, such as Axis, Genetec and Hikvision. Engaging integrators, app developers and software providers as well as camera manufacturers will generate widespread support to ensure the initiative succeeds. Although currently most OSSA members are based in the EU and Asia, it is a global organisation open to any company in the world. Many large industry players are now missing from the IFSEC show floor; the most noticeable new abstainer this year was Milestone. And the downturn seems likely to continue: Exhibitors were largely noncommittal about returning next year, although organisers were urging them during the exhibition to sign up for 2020.

Attendees strolling the exhibit hall at IFSEC International, 18-20 June, 2019, at ExCel London, will be hearing a lot about artificial intelligence, convergence and GDPR. These industry hot topics are representative of major trends in the industry, from new technologies to new ways of designing systems to new privacy requirements. The education sessions at IFSEC International will also address these timely subjects – and provide a welcome chance to sit down and consider the ‘bigger picture.’ Here are some sessions to consider:    Artificial Intelligence The session will examine the ‘connectionism’ aspect of AI with reference to machine learning and neural networks A session on artificial intelligence asks: ‘Will AI change the face of the Electronic Security Industry?’ The session will examine the ‘connectionism’ aspect of AI with reference to machine learning and neural networks. Connectionism, or neuronlike computing, developed out of our understanding of how the human brain works at the neural level. Each neuron in the brain is akin to a simple digital processor, and the brain as a whole is like a computing machine. Has the time come for artificial intelligence and machine learning for security? That’s the focus of another session that will explore where AI is headed and if it can help move security practice from prevention to real-time threat detection. Is AI a technology looking for a problem to solve? Is it mature enough for mainstream usage in security scenarios? Does AI present a ‘double-edged risk’ (i.e., because enterprises and attackers have access to the same tools)? Convergence A combined security approach – unifying physical security and cybersecurity – is a real and immediate need in today’s high-risk and high-threat environment. By leveraging disparate sources of data, organisations can effectively manage a situation in real-time without having to go to multiple individual subsystems to get the job done. A panel session at IFSEC will discuss the concept, reality, and evolution of both physical and cybersecurity teams collaborating in the same Security Operations Centre. Here are some other sessions related to convergence of physical and cybersecurity: How converged security centres respond in real-time to physical and online threats How converged technologies ease prevention and response to unauthorised physical/logical access to corporate facilities and networks How chief security officers can benefit from data analytics and converged platforms to understand the complex physical and cyber risks posed to transport systems. GDPR Whilst the regulations provide a more comprehensive basis in law for the management of personal data The introduction in 2018 of the EU General Data Protection Regulations (GDPR) and Data Protection Act 2018 have elevated compliance requirements for video surveillance systems. That’s the subject of the session ‘GDPR – Video Surveillance: Balancing Privacy and Security.’ Whilst the regulations provide a more comprehensive basis in law for the management of personal data, they are part of a wider legal consideration for security technologies. Transparency, accountability and impacts on privacy must be actively integrated into security systems from the outset to retain the trust of those they affect. The work of the Information Commissioner (ICO) and the Surveillance Camera Commissioner (SCC) with their respective Codes of Practice provide a bedrock for effective governance. The 2018 Biometrics Strategy for the Home Office and their partners addresses the need for clear and transparent arrangements to ensure risks to privacy are weigh alongside the benefits. The session will examine these complexities and look at what owners and operators of security systems must consider when striving to balance privacy and security.

Genetec Inc., a technology provider of unified security, public safety, operations and business intelligence solutions, announces its solutions have been selected by the Royal Borough of Windsor and Maidenhead (RBWM) for region-wide CCTV monitoring and community safety purposes. The new system will result in better coverage across the borough and enable information to be quickly shared with regional police as and when required. At the heart of the programme is a completely refurbished monitoring centre, equipped with the Genetec flagship unified security platform Security Center and other complementary Genetec security solutions. KiwiVision privacy protector The open federated architecture of the Genetec infrastructure provides the foundation for a system that can scale and evolve as needs change These include the KiwiVision Privacy Protector to simplify GDPR compliance, Genetec Mission Control to guide operators in providing a consistent response to incidents and Genetec Clearance for the easy and secure sharing of evidence with local law enforcement. The open federated architecture of the Genetec infrastructure provides the foundation for a system that can scale and evolve as needs change. It also allows RBWM to protect its past investments by retaining the majority of its existing cameras, alongside the 200 that will be added, upgraded or relocated. “The safety of residents and visitors in the borough is a priority, and we are pleased to be installing a new-state of the art system that delivers this,” said Cllr. Mike Airey, cabinet member for environmental services. Improved information sharing “We not only benefit from reduced operating costs and improved information sharing with local police, but we also gain access to cutting edge privacy controls that make it far simpler for us to maintain our compliance with the EU GDPR and other data protection regulations.” The project began when specialist town centre video surveillance consultancy firm Global MSC Security (MSC) was called in to assess the Royal Borough’s existing analogue video surveillance system, its fitness for purpose and how it could be cost-effectively improved. This resulted in a competitive tendering exercise won by Computerised & Digital Security Systems Ltd. Cost-effective response (CDS) who designed a state-of-the-art wireless camera system to support the Genetec open architecture video management system (CDS) who designed a state-of-the-art wireless camera system to support the Genetec open architecture video management system. Some of the key technical benefits delivered by CDS include full HD recording, advance graphical mapping, advanced incident response, customisable and extended video storage retention, and various features to aid data protection regulation compliance such as automated pixelisation of images and end-to-end encryption to enhance privacy controls “Genetec is delighted to see our solutions chosen by the Royal Borough of Windsor & Maidenhead for this well thought out upgrade that will benefit the council, local police and citizens”, added Dan Meyrick, Regional Sales Manager, Genetec Inc. “I would like to thank and congratulate our partner CDS for producing a high quality and cost-effective response that delivered against the customer’s requirements.”

In the digital age, software is a component of almost all systems, including those that drive the physical security market. A trend toward hardware commoditisation is making the role of software even more central to providing value to security solutions. Software developments make more things possible and drive innovation in the market. We asked this week's Expert Panel Roundtable: How do software improvements drive physical security?  

The definition of a standard is “an authoritative principle or rule that usually implies a model or pattern for guidance, by comparison with which the quantity, excellence, correctness, etc., of other things may be determined.” In technology markets, such as physical security, standards are agreed-upon language, specifications or processes that are used across the board by multiple stakeholders to enable easier interconnectivity and smoother operation of systems. We asked this week’s Expert Panel Roundtable: How are standards shaping change in the physical security market?

ISC West 2019 is in the industry’s rear-view mirror, and what a show it was! The busy three days in April offered a preview of exciting technologies and industry trends for the coming year. We asked this week’s Expert Panel Roundtable: What was the big news at ISC West 2019?