Cybersecurity is a growing concern for businesses. Every advancement in technology provides new security loopholes and risks. What’s more, the cost of recovering from cyberattacks can be crippling.
In this interview, Fred Streefland, Director of Cybersecurity and Privacy at Hikvision EMEA, discusses some of the common cybersecurity misconceptions prevalent across social and other media.
Benchmark: Why do you think misconceptions about cybersecurity arise?
Fred Streefland: Today, anyone can post their views, opinions, and versions of ‘the truth’ on social media and other online platforms. At the same time, media providers are increasingly aligned with other stakeholders and viewpoints – giving certain bias to their coverage of people and events.
Because of this, many social commentators have written that we now live in a post-factual era, where ‘people are more likely to accept an argument based on their emotions and beliefs, rather than one based on facts. So it’s worth considering the impact of misinformation and ‘fake news’ on our industry. These are myths that tend to be driven by emotional responses rather than facts, and they can be confusing and sometimes even dangerous.
B: Could you give us an example of a common cybersecurity myth?
FS: OK, think about the way that the media tends to describe security vulnerabilities as ‘backdoors’. Whenever a vulnerability is discovered in a camera or other network-connected product, the media loves to call it a ‘backdoor’, but in fact, vulnerabilities and backdoors are two completely different things.
Vulnerabilities can happen in any network-connected device which incorporates both hardware and software. In fact, vulnerabilities are inevitable and happen accidentally. There’s research to show that we can expect 2 to 3 bugs in every thousand lines of code.
Security-conscious device manufacturers minimise vulnerabilities wherever possible using ‘secure-by-design production processes. If you imagine that some business applications consist of several million lines of code, and modern cars could even contain more than 100 million lines of code, you can do the math.
Backdoors, on the other hand, are security loopholes that are added on purpose to device software to allow manufacturers or others to access devices and the data stored on them.
On rare occasions, backdoors are added temporarily to products by manufacturers to support development, testing, or maintenance processes – and these backdoors are not removed by accident.
B: Is it true that some manufacturers add backdoors to their products for illicit reasons – like spying?
FS: No. Why? Because these ‘illicit reasons’ are not possible. Once security devices such as cameras are installed in customer networks, they are effectively ‘ring fenced’ in security, primarily placed in a stand-alone network, and often protected by firewalls and other security devices. And even if the end-user decides to store the data from these devices in a cloud, cloud providers have security Service License Agreements or SLAs that keep that data private, ensuring it cannot be accessed by external companies, such as devices manufacturers.
This is important because the end-users who buy these cameras are responsible for the data/video footage they generate. In other words, they’re the data custodians who process the data and control the video footage, which is legally required to be kept private. Secret access to video footage on these devices is impossible without the consent of the end-user.
So even devices with backdoors can’t be used to spy on companies, individuals, or nations. The security features built into devices, networks, and data centres, combined with end-users data-protection responsibilities, make espionage and other misuses of backdoors impossible.
B: But I’ve read that adding backdoors to products represents no real risk for a manufacturer? Is that right?
FS: Not at all – in fact, literally the opposite is true. Device manufacturers who add backdoors to their products have absolutely everything to lose. We’ve seen the evidence of high-profile business scandals and data breaches which show us that the truth always comes out. And what’s more, if a company is found to have deliberately added a backdoor to a product, their reputation would be destroyed, along with their business, virtually overnight.
This means that all companies, especially large companies with their IP and R&D capabilities, have a range of checks and balances to ensure that no backdoor is ever added to a product deliberately. This is especially the case in the security industry, where manufacturers are expected to protect customers’ data and operations 24 hours a day, seven days a week.