Managing Cybercrime – Why You Need a Security Policy and What It Should Contain

Every journey starts with a single step. But without a map, you’re lost before you get started. It’s the same when it comes to preventing cybercrime: You need a guide, a living one, as the map of cyber threats is constantly changing.

Computers in everything: A network camera is a computer with a lens

Today, all networked video security systems are computer-based. A network camera is a computer with a lens, NVRs are computers with limited functionality, and video management software (VMS) systems are computer applications. What do they have in common? They are all susceptible to the same cyber threats as any other computer system.

Some think that damage in a security video context is limited to somebody getting unlawful access to video recordings. But that’s just one part of it. Cybercrime is a far more complex matter, as it entails a lot more than unauthorized access to business data.  User accounts can be compromised, mission-critical systems accessed through the VMS infrastructure or data can be taken hostage. These are but a few of the malicious acts performed by cyber criminals in this day and age.

Cybersecurity: Why it’s a necessary investment

Video security systems are mission-critical: They must operate faultlessly 24/7 to protect people and assets. The same can be true for video systems used for other purposes than pure security. A system that monitors crowd flow in a shopping mall will impact the bottom line if digital signage, marketing statistics and crowd control services cease to operate.

We will soon see businesses being evaluated in status based on their ability to manage cybersecurity.  When companies venture into partnerships, they require certainty that their partners maintain a high level of cybersecurity. There is no doubt this will be an important parameter when it comes to partner selection.

A security policy is the first step towards an unhackable system – and a more efficient organization

An IT system is never 100 percent safe. Cyber threats are in constant motion and security policies have to be updated accordingly. It isn’t easy: you have to know about a threat to be able to mitigate it. And this takes time, meaning that you will always be behind in defending your

A security policy defines and documents your organization’s established position on the security risks that must be controlled in order to meet the safety needs  of the business., These will ultimately fund security controls and bear any residual risk. It is crucial that a security policy is a “living document”, continuously updated as technology and employee requirements change.

A security policy’s objectives in a nutshell: Preserve Confidentiality, Integrity and Availability

  • Confidentiality: The protection of assets from unauthorized entities.
  • Integrity: Ensures that the modification of assets is handled in a specified and authorized manner.
  • Availability: Only authorized users have access to said assets.

A company’s security policy should address the objectives, scope, specific goals, adherence to formal regulations and responsibilities for compliance, and actions to be taken if a cybersecurity threat occurs. It plays an important role in determining decisions and direction, but it should not alter the organization’s overall strategy or mission. It is important to build a policy on the organization’s existing cultural and structural framework in order to support continuous productivity and innovation. If the policy is too generic, it might just impede the organization from meeting its mission and goals.

Getting your security policy right will also improve your organization’s ability to do business.

…by 2018, 50 percent of organizations in supply chain relationships will use the effectiveness of their counterpart’s security policy to assess the risks in continuing the relationship, up from 5 percent [in 2015]. – IT analyst company Gartner

How do you make a system user-friendly and secure?

An unsecured system is easy to use: You just connect and get to work. Maximum security systems with biometric user identification, extra hardware and complex user login procedures are not particularly user-friendly. Also, the more secure the hardware, the higher the cost.  The balance between user-friendliness and impenetrable security must be taken into consideration in a useful security policy.

 Here’s what to do whether you do or you don’t have a security policy

If a video system is deployed in a greater IT context, there might already be a security policy in place. In that case, you need to extend this policy to the video security system. If this is not the case, it is a good idea to contact a professional security consultant.

Knowing how to construct a security environment is different from translating it into a written set of enforceable rules. A lot of companies struggle with striking a balance between the right level of guidance, a sufficiently direct style and a risk-based approach. And if you can’t translate your requirements into an effective policy, you have little hope of enforcing your requirements. This may well demand outside resources with knowledge about security policy standards for your region/industry.

A good way to get an overview of the cybersecurity situation is to read the free Microsoft Security Intelligence Report issued twice a year. Milestone is a Microsoft partner: our software is Windows-based and we therefore adhere to the Microsoft guidelines for security.


Milestone-JOS_Svendsen.PRManagerEMEAby Jos Svendsen, Corporate Communications Manager EMEA, Milestone Systems