There probably aren’t many people still working in the AV industry who remember Brain. Brain was the first ever virus to target MS-DOS – it entered PCs via a floppy disk, infecting the boot sector – in 1986. In 1988 – back in the day when the entire internet consisted of around 60,000 machines – the Morris Worm became the first virus to be distributed via the network, infecting around 10% of those systems. It was little consolation to users to subsequently find out it was an accident…
Fast forward to 2018. In the third quarter, anti-virus company Kaspersky alone claims to have blocked almost 950 million virus attacks. The company detected more than 300,000 attempts to access bank accounts. Ransomware attacks numbered over a quarter of a million. And those are just three of the many, many threats posed to the security of the world’s computer systems. In the first half of 2018, it’s estimated that some 4.5 billion records were exposed as a result of data breaches. It’s believed that, by 2020, the annual cost of data breaches will reach $2.1 trillion. Accenture estimates that the average cost of a malware attack to a company is $2.4 million. Those are the kind of numbers that keep IT managers awake at night.
Today, in its new, network-centric form, in which almost every audiovisual device has some form of network connectivity, the AV industry too needs to be thinking about security, especially as AV becomes more closely aligned with the IT domain – and increasingly mission critical.
Responsibility to the enterprise
Launching its Recommended Practices for Security in Networked AV Systems guide just under a year ago, Ann Brigida, AVIXA’s senior director of standards, said: “We have a responsibility to the enterprise whose networks we’re on to make sure our AV systems are not enabling intrusions; that we’ve done everything we can to understand what’s at stake and take steps to mitigate the risk for the entire enterprise. There are many standards and practices that have been put in place through the years to lock down the opportunities for hackers and prevent breaches, and many cyber-security firms provide 24/7 intrusion detection. But most of the standards and guidance deal with the network itself and not the systems being put on the network. That’s why AVIXA worked with subject matter experts to develop a set of best practices to keep the network safe while placing AV systems on it.”
It seems that such a guide is much needed. “AV security is in a weak position today,” believes David Martens, product security architect at Barco. “Security has only received the focus it deserves over the past couple of years – and many vendors are still struggling to get it implemented correctly.”
The latter may seem a bold claim – but Stuart Davidson, technical services director at integrator AVMI, sees a similar situation.
“There’s a growing understanding of the importance of security,” he nods. “However, it’s fair to say that we often see major security risks when discussing legacy technology solutions. We’re sometimes just as surprised by a manufacturer’s lack of understanding of the importance of security. It’s important to us to choose to work with vendors and partners who share the same goals and vision that we and our customers have.”
“However,” he continues, “major AV manufacturers are also now starting to understand, and are working hard to ensure that standardised and approved security measures are incorporated into devices.”
Spiros Andreou, service delivery manager at integrator CDEC, also believes there’s room for improvement – an improvement that, if not executed, leaves the entire AV industry as it is today at risk.
“There are few equipment manufacturers who work with Android systems who take this as seriously as they should,” he says, “and we believe that is why Android systems have failed to penetrate the legal/banking sectors as much as they could.”
“We cannot overstate the risks to the market that are presented by the massive IT players coming to compete with the established manufacturers and integrators in the AV world,” he goes on. “Five years ago, it would have been unthinkable to be in a competitive process for a classroom against Sony, Microsoft and Cisco – but that reality is very much upon us. The poor security of AV devices is an argument that larger IT companies can make that there is no place for them in the corporate – or indeed, the education – world, so the sector must change to face the challenge.”