C Y B E R S E C U R I T Y
The Cybersecurity
Time Bomb
By Will Knehr
a camera, access control system, or intrusion detection de-
If you work in physical security, you have probably seen it:
vice installed years ago, humming along without a single
update. It is a common scenario that security professionals
have come to accept as “normal.” But here is the reality: this
mindset is actively putting organizations at risk.
The security industry, manufacturers, integrators and end cus-
tomers have a massive problem treating security technology like
static infrastructure. Unlike a door or a fence, security devices
today are essentially networked computers and leaving them un-
touched for years is no different than running an old Windows
XP box on the open internet, a hacker’s dream.
THE “INSTALL IT AND FORGET IT” MENTALITY
Most security deployments follow a familiar cycle:
Step 1. The sale is made. The customer chooses a security sys-
tem based on features, cost, and brand reputation. Cybersecurity
isn’t usually a signifi cant factor in the buying decision.
Step 2. The system is installed. Integrators deploy cameras,
access control, and other devices, get them up and running, and
hand everything over to the end user.
Step 3. Nothing happens. No one thinks about fi rmware up-
dates. No one checks for vulnerabilities. The system runs for years.
And then, one day, something happens. Maybe an attacker ex-
ploits an old vulnerability. Ransomware may lock down the entire
network. Maybe an IP camera gets hijacked and used in a botnet
attack. And suddenly, everyone is asking: “Why wasn’t this sys-
tem secured?” The answer? Because no one took ownership of
keeping it secure.
WE SHOULD HAVE LEARNED BY NOW
A perfect example of this problem is Mirai, the botnet that wea-
ponized thousands of unpatched IoT devices to launch history’s
most signifi cant DDoS attacks. When Mirai hit the news in 2016,
it wasn’t exploiting some sophisticated zero-day (a software fl aw
that is unknown to the vendor or developers, meaning there is no
patch or fi x available).
The vulnerability had been patched years earlier. The problem
was that most devices had never been updated.
Fast forward to today, and the same issue persists. Thousands
of security cameras, NVRs, and access control systems are still
unpatched on networks because no one prioritized updates. If
Mirai wasn’t enough of a wake-up call, what would be?
A THREE-WAY BLAME GAME
The problem is not just on one side. It is a perfect storm of bad
habits from manufacturers, integrators, and end customers.
For their part, some manufacturers still design products with
a ship-it-and-forget-it mentality. They build hardware, ship it and
move on to the next model. Many devices still ship with default ad-
min passwords that never get changed. Firmware updates are often
buried on a website somewhere with no automated update process.
Worse, some manufacturers treat their products as obsolete
within a few years, even if customers still use them. This leaves
integrators and customers on their own to secure products never
built with cybersecurity in mind.
Integrators are stuck in the middle, expected to be cybersecu-
rity experts whether they want to be or not. If a vulnerability is
discovered after deployment, customers often turn to the integra-
tor fi rst, even if the manufacturer has not provided an update or
the system is beyond its supported lifecycle.
However, integrators are running a business, and patching is
not a revenue-generating activity. Customers are reluctant to pay
for ongoing cybersecurity maintenance, and many integrators
do not have a built-in service model for regular updates. Mak-
ing matters worse, many security devices do not have easy remote
update mechanisms. If fi rmware updates require on-site visits or
manual downloads, they often do not happen.
End customers, meanwhile, often do not think about cyberse-
curity until something goes wrong. IT and security teams do not
always communicate, leading to security devices connected to the
main corporate network without proper segmentation, running
on outdated fi rmware, and still using default passwords years af-
ter installation. Many customers assume their security devices are
secure out of the box, but that is rarely true.
BREAKING THE CYCLE
Fixing this problem starts with recognizing that cybersecurity is
not a one-time setting; it is an ongoing process. Manufacturers
need to take responsibility for long-term security by supporting
products for longer lifecycles and shipping products with cyber-
security features enabled.
Integrators need to shift their approach as well. Cybersecurity
can no longer be an afterthought; it needs to be built into service
contracts with ongoing maintenance plans that include regular
fi rmware updates and security checks. Security technicians also
need better training on cybersecurity best practices, so they are
not just installing equipment but actively securing it. Instead of
leaving security confi gurations up to the customer, integrators
should ensure devices are adequately secured at installation.
End customers must stop assuming cybersecurity is someone
else’s job and start demanding more transparency from manufac-
turers. If a vendor cannot tell you how they handle security up-
dates, that’s a red fl ag. Security devices should
also be segmented from the leading network to
prevent a single compromised device from ex-
posing an entire organization.
Will Knehr is the senior manager of Information
Security and Data Privacy at i-PRO Americas.
2 6 M A Y / J U N E 2 0 2 5 | S E C U R I T Y T O D A Y