Freely subscribe to our NEWSLETTER

Research from Hanwha Vision Europe reveals a worrying gulf between users’ insistence that their video systems are protected from cyber-attacks - and their widespread failure to implement even simple measures to keep them secure.

The survey of over 1,000 IT and security managers across Europe reveals that an overwhelming 92% of IT and security managers claim their security systems, including video surveillance systems, are protected or highly protected from cyber-attacks.

Yet such confidence appears misplaced, as their organisations are not implementing even basic measures such as changing camera usernames and passwords (26%), ensuring their devices are running the latest firmware (12%), or securing access to Networked Digital Recorders (NDRs) and other devices (6%).

The research also discovered an alarming lack of awareness of cybersecurity regulations and compliance measures among those on whom organisational cybersecurity depends.

With less than one in two (47%) aware of the second Network and Information Security Directive (NIS 2), and only 23% familiar with the Cyber Resilience Act (CRA), these revelations provide cause for concern, as both EU regulations came into effect in October 2024.

Separately, Hanwha Vision’s research also reveals insufficient promotion of cybersecurity best practices at an organisational level. While around one in four (26%) promote the use of Multi-Factor authentication, only one in 10 organisations push the use of strong passwords.

John Lutz Boorman, Head of Product and Marketing at Hanwha Vision Europe, expressed alarm at organisations’ failure to implement even basic cybersecurity measures, as he urged users and the security industry to treat the research findings as a “wake-up call”.

“With the number of cyber-attacks on the rise, and the cost and impact of these security breaches growing all the time, organisations must match words with actions to boost their video network resilience,” Boorman noted.

“Like any IoT device, an unsecured video camera can present a tempting route into an organisation’s network for bad actors - but even simple measures can help close off this path,” he continued.

The research found that failure to follow best practices for keeping video surveillance networks safe from cyber-attack is not unique to any sector and is highly prevalent even in high-risk industries with extensive experience of cybercrime, such as financial services.

“While it is the user’s responsibility to keep their networks secure, it is clearly in the interest of manufacturers and installers to help them maintain system resilience, and the wider security industry must do more to help,” said Boorman.

Key research findings:

1. Strong belief in system resilience - but insufficient action to merit it.

An overwhelming 92% of European IT and security managers claim their security systems, including video surveillance systems, are protected or highly protected from cyber-attacks. Faith in system resilience is higher among security managers (95%) than IT managers (89%).

When asked about their video systems, however, only around one in four (26%) of those surveyed are undertaking simple measures such as changing camera usernames and passwords, while only 12% ensure their devices are running the latest firmware.

Only a tiny minority (6%) of IT and Security Managers secure physical access to NDRs and other devices to permitted users, further illustrating how organisations are leaving themselves open to damaging cyber-attacks.

The research also uncovered a lack of suitable measures to enforce the resilience of the networks on which video cameras sit. Less than one in four (22%) deploy a VPN on the network, only 6% place cameras on a separate physical network to corporate or other operational networks, and only 3% use a VLAN to keep their security network separate from other networks.

2. Lack of awareness of cybersecurity regulations

Despite faith in their own network resilience, the research shows that an alarming number of IT and security managers are unaware of both established and forthcoming regulations and compliance measures introduced to enhance cybersecurity.

Less than one in two are aware of NIS2 (47%), and under one in four (23%) are aware of the CRA - despite these important regulations coming into effect in October 2024. Only 16% of those surveyed are aware of the international standard for managing information security, ISO 27001, while a mere 14% are familiar with the US National Defense Authorization Act (NDAA), which prohibits federal agencies and their contractors from using video surveillance equipment from a number of named manufacturers. Previous research undertaken by Hanwha Vision revealed that one in two security sanagers expect legislation similar to the NDAA to become law in their own country at some point, and 42% would actually support a version of the NDAA becoming law in their own country.

3. Insufficient promotion of cybersecurity best practice

When asked how their organisations promote cybersecurity, less than one in two (41%) say they are reminded to remain up-to-date with updates and device firmware. Only one in 10 organisations promote the use of strong passwords, while only around one in four (26%) promote the use of Multi-Factor authentication.

The full research findings, including an analysis of variations between countries, industry sectors, organisation sizes, and roles, can be found here: Cybersecurity Report. They also feature a guide to networked video cybersecurity best practices.