Cyber Daily: Genetec’s State of Physical Security report was released at the end of last year, so I’m wondering, what are some of the real high-line trends that we’re seeing in what’s changing in the sector, and what’s driving those changes?
Andrew Elvish: This is the sixth annual report that we’ve done, and it was actually a really exciting year for the report.
We brought in a massive number of respondents this year, almost 8,000 – I think it was around 7,700 respondents – which really blew past the internal goals we had set, so we got a really good spread of results. I think it’s important for anybody in the physical security space, especially from a global perspective, to get that view across all of the different regions in the world.
It’s a pretty unique report in that respect, because there are very, very few professionally produced reports out there that actually speak to that sort of experience, all the way from ANZ up to Canada and Europe, the Middle East, Asia-Pacific, South America … So that was one thing, just from a functional perspective, that was really interesting.
And the response to the report has been, since we released it in December, just off the charts – I think because the data is showing there are some really big changes afoot. And you know, every year, some data points really jump out at me, in terms of the big trend lines, the big changes.
In the past reports that we’ve done, it’s always been in terms of spend priority for physical security professionals. It’s always covered how access control is the number one, because most access control is significantly outdated, very cyber insecure, and totally non-modern technology. So that doesn’t surprise me, and then usually second place priority was something like video surveillance investments – but this year changed the whole thing.
Over the past two years, artificial intelligence has been down in the sixth or seventh priority rank of spending. This year, it went all the way to number two, and it displaced video surveillance investment; people were really prioritising spending on bringing artificial intelligence into their physical security pipeline, and that’s a really interesting, really big change. But that change also came with another eye-opening piece of data, and that was the question around, “What are buyers, end-user buyers, prioritising when they choose physical security vendors?”
Now, the usual suspects were in that response, right? You know, performance, price, availability, innovation, all of those hovered between 40 per cent of respondents prioritising them, but then there was a data point, which was 73 per cent of the respondents put the focus squarely on vendor stability and longevity – that was really eye-opening.
Cyber Daily: They’re looking for long-term partners, not short-term solutions.
Andrew Elvish: But that’s exactly it.
It speaks to the fact that physical security platforms and physical security investment are seen as more of an enterprise investment than a one-off type investment. This is more akin to deciding on which ERP you’re going to install, versus a point solution that you need in the department.
This is a really big change in the industry right now, and I think people are looking closely at the nature of vendors in the physical security space. There’s a lot of venture capital money sloshing around. A lot of companies are in it to IPO and make their shareholders super rich. And I think a lot of people have gotten burned by these kinds of investments in the past. I mean, the track record of IPOs is very clear – most of the key talent after, it IPOs, get out of dodge real quick, because they’re all multimillionaires, and they’re not really interested in delivering innovation to their customers. They’re more excited about buying a new Lamborghini.
I think, in the minds of physical security professionals, this has become a big thing. And I think in terms of top-line takeaways, those two really stood out to me. And I think also more generally, across all of the responses in the report, it’s this growing sophistication of the physical security buyer, who is much more savvy, a little bit more circumspect, and certainly much more driven to put their money behind value and trustworthiness and sort of flash and fluff.
Cyber Daily: The idea of a cyber security incident in Hollywood often involves not just an intrusion into a network, but people turning off security cameras and such like that – actual physical impact. So I’m wondering: is there any real-world overlap of cyber security and physical security?
Andrew Elvish: It’s much more of a thing you’re going to see more in Hollywood, but it still does happen – people physically tampering with physical equipment to commit crimes.
Because we deal with a wide range of large-scale end users in places like oil and gas, in places with very high-value or high-net-worth individuals, where you have to really prepare for the worst when you’re dealing with things like this. So you start thinking about, “OK, how can we really take control of situations and highlight when tampering is happening?”
It must have been in 2015, we introduced what we call the Camera Integrity Monitor as a really important thing, because humans cannot look at all of the cameras and all of the video footage all the time. It’s impossible.
But what our system does is highlight and say, this camera is no longer in the focal range that you had set it, it is pointing at the ground. It is spray-painted over. It has been tampered with, and you need to do a service call immediately on that camera. And then our automation workflows kick in so that you can fix the camera and get it back to normal, as quickly as possible.
We see that a lot in terms of cyber security; though, I would wager that those seeking to do harm are somewhat less concerned about what the cameras are capturing, from a visual perspective, and much more interested in the fact that those cameras are sitting on a network, and that’s when you get into some of the really troubling areas of cyber hygiene in the physical security space. We have seen for many, many years that physical security professionals are overly detached from the realities of cyber security best practices, and the result of that is that sometimes cameras are put on networks willy nilly, without concern for who made those cameras, their cyber security track record, the risk vectors that that could contain, and what the network those cameras are on could eventually lead to if you had a case of lateral movement.
So this is when you get into things like exfiltrating data, or even just using those cameras as a part of a botnet. I mean, the Mirai botnet, many years ago, which sort of shut down many of the big social media players, was totally done through untrustworthy cameras, which they used as a platform to launch a massive denial-of-service attack.
This is the sort of risk profile that I think a lot of physical security people don’t take into mind as much as they should. But what we’ve seen in the report this year is that the convergence of physical security has had a really salutary effect on the level of awareness around cyber security in the physical security space. By bringing it into the mix, you start implementing best practices, right? You’re doing vendor risk assessments, you’re looking at the surface of attack. You’re doing regular pen testing. You’re prioritising manufacturers who do their own pen testing, who have the ability to report and track bugs ...
So this, to me, is where we’re seeing the industry mature, and it’s showing up in this year’s report as well.
You can read Genetec’s State of Physical Security report here.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.