Kinly Blog | Visual Collaboration News & Insights

Security First: Robust Build Standards for Secure AV Deployments

Written by George Pierson | Nov 7, 2024 8:00:00 AM

Imagine you’ve finished a presentation in a high-tech boardroom announcing plans for the launch of your latest and greatest product. You later discover the details have reached your competitors before you even had the chance to reflect on how well things went. What happened?

AV systems have evolved from simple setups to complex, network-integrated systems. The days of thinking AV equipment is too basic to be targeted are over. These systems can easily become entry points for cyberattacks, making strong security standards more essential than ever.

Secure by Design: Building security into every layer

It’s an anecdote often used by Kinly’s cybersecurity team but one that always resonates. If you were building a house, you wouldn't install the windows and later decide where the walls will go. The same principle applies to AV security.

As opposed to applying security measures in retrospect, the concept of Secure by Design means integrating security from the very beginning. This prevents reactive patching, system downtime, and heavy expenditure. To be Secure by Design, begin with risk assessments that consider the sensitivity of the data and the environment. An AV system in a public space will have different security needs than one in a corporate boardroom where sensitive data is discussed.

Build standards: Setting the rules

If Secure by Design is the overall philosophy, build standards are the guidelines that ensure consistency and security across all deployments. Using standards like Center for Internet Security (CIS) benchmarks helps ensure that all components - displays, conferencing systems, microphones, cameras, control systems, and so on – are configured securely from day one.

A solid build standard means all deployments are consistent, reducing the chance of undetected weaknesses. This is all about creating a repeatable, measurable process for deploying AV systems to achieve a uniform level of security.

Customising to risk and data classification

Based on the risk assessment, not every AV system will need the same level of protection. Customising security based on risk and data classification will ensure your efforts aren’t misplaced. For example, low-risk systems – like public displays – only require basic security, such as network segmentation, secure access credentials, and disabling unused ports. In contrast, high-risk systems – like boardroom AV technology – demand more advanced security measures, including encryption of audio and video content, as well as strict access controls.

AV solutions are no longer simple devices. If compromised, malicious actors can easily move around a corporate network and access sensitive information. When clarifying and customising risk, it’s important to establish whether the system is online, offline, or part of a wider network to ensure the appropriate protocols are in place.

By aligning security measures with the level of risk and sensitivity, you can protect your AV deployments without over-engineering lower-risk systems.

Hardening procedures: Securing the epicentre

With a secure build in place, the next step is hardening. Essentially, this means tightening up any potential weak points.

Key hardening steps include:

  • Disabling unused features: If you don’t need it, turn it off. Extra features, like Bluetooth or remote access, only increase the attack surface.
  • Using strong encryption: Ensure all data exchanged between AV components like in-room microphones and video transmission is encrypted, especially for sensitive information.
  • Updating and patching regularly: Outdated systems are a hacker’s playground. Keeping firmware and software up to date is a simple but critical chore.
  • Password management: Using complex passwords and storing them securely minimises the risk of unauthorised access.

Hardening reduces the system's vulnerability by limiting what attackers can exploit. It’s the final reinforcement that ensures your AV deployment is secure.

Handing in your homework

Once you’ve built and hardened your system, it’s time to test. Testing verifies that your security measures are working as intended.

Testing methods and practices include:

  • Network security testing: Ensuring communications between AV components are properly secured and encrypted.
  • Penetration testing: Simulate attacks to identify vulnerabilities and scan for any missed passwords.
  • Audit trails: Ensure logging and monitoring are in place so that unauthorised access or changes are traceable. That goes for all capabilities on the network, not just AV systems.
  • Test reports: Documenting the results of test procedures for client review.
  • Remaining vigilant: Review databases such as CVE for publicly disclosed cybersecurity vulnerabilities.

Logging the testing process in your Secure by Design or low-level design documentation creates proof of work, demonstrating that the system is secure and all necessary steps have been taken. It’s also useful for compliance with industry standards and provides a clear record if something goes wrong.

Maintaining standards

Compliance isn’t just about ticking boxes. In many industries, AV systems need to adhere to standards such as ISO/IEC 27001, HIPAA, or even GDPR, depending on the environment and whether systems are storing client data.

By following compliance standards and ensuring they are reviewed regularly, you not only avoid damages and legal risks, but ensure your AV system is built to withstand modern security threats.

Closing thoughts: Security from the ground up

Deploying AV systems that are nice to look at is great. However, making certain they're secure from the ground up is essential. By implementing Secure by Design principles, adhering to build standards like CIS benchmarks, customising security based on risk and data classification, and rigorously testing, your AV systems will be equally as impressive as they are reliable and resilient.

AV systems are no longer just about sound and visuals – they’re integral parts of your network and communication infrastructure. Prioritising security from the start is the key to ensuring your systems remain secure in an increasingly connected world.

The last thing you want after a critical presentation is to find that somebody’s been eavesdropping on your new intellectual property and leaking information to your competitors.