The Cybersecurity Time Bomb

  • By Will Knehr
  • May 19, 2025

If you work in physical security, you have probably seen it: a camera, access control system, or intrusion detection device installed years ago, humming along without a single update. It is a common scenario that security professionals have come to accept as "normal." But here is the reality: this mindset is actively putting organizations at risk.

The security industry, manufacturers, integrators and end customers have a massive problem treating security technology like static infrastructure. Unlike a door or a fence, security devices today are essentially networked computers and leaving them untouched for years is no different than running an old Windows XP box on the open internet, a hacker’s dream.

The "Install It and Forget It" Mentality
Most security deployments follow a familiar cycle:

Step 1. The sale is made. The customer chooses a security system based on features, cost, and brand reputation. Cybersecurity isn’t usually a significant factor in the buying decision.

Step 2. The system is installed. Integrators deploy cameras, access control, and other devices, get them up and running, and hand everything over to the end user.

Step 3. Nothing happens. No one thinks about firmware updates. No one checks for vulnerabilities. The system runs for years.

And then, one day, something happens. Maybe an attacker exploits an old vulnerability. Ransomware may lock down the entire network. Maybe an IP camera gets hijacked and used in a botnet attack. And suddenly, everyone is asking: “Why wasn’t this system secured?” The answer? Because no one took ownership of keeping it secure.

We Should Have Learned by Now
A perfect example of this problem is Mirai, the botnet that weaponized thousands of unpatched IoT devices to launch history's most significant DDoS attacks. When Mirai hit the news in 2016, it wasn’t exploiting some sophisticated zero-day (a software flaw that is unknown to the vendor or developers, meaning there is no patch or fix available).

The vulnerability had been patched years earlier. The problem was that most devices had never been updated.

Fast forward to today, and the same issue persists. Thousands of security cameras, NVRs, and access control systems are still unpatched on networks because no one prioritized updates. If Mirai wasn’t enough of a wake-up call, what would be?

A Three-way Blame Game
The problem is not just on one side. It is a perfect storm of bad habits from manufacturers, integrators, and end customers.

For their part, some manufacturers still design products with a ship-it-and-forget-it mentality. They build hardware, ship it and move on to the next model. Many devices still ship with default admin passwords that never get changed. Firmware updates are often buried on a website somewhere with no automated update process.

Worse, some manufacturers treat their products as obsolete within a few years, even if customers still use them. This leaves integrators and customers on their own to secure products never built with cybersecurity in mind.

Integrators are stuck in the middle, expected to be cybersecurity experts whether they want to be or not. If a vulnerability is discovered after deployment, customers often turn to the integrator first, even if the manufacturer has not provided an update or the system is beyond its supported lifecycle.

However, integrators are running a business, and patching is not a revenue-generating activity. Customers are reluctant to pay for ongoing cybersecurity maintenance, and many integrators do not have a built-in service model for regular updates. Making matters worse, many security devices do not have easy remote update mechanisms. If firmware updates require on-site visits or manual downloads, they often do not happen.

End customers, meanwhile, often do not think about cybersecurity until something goes wrong. IT and security teams do not always communicate, leading to security devices connected to the main corporate network without proper segmentation, running on outdated firmware, and still using default passwords years after installation. Many customers assume their security devices are secure out of the box, but that is rarely true.

Breaking the Cycle
Fixing this problem starts with recognizing that cybersecurity is not a one-time setting; it is an ongoing process. Manufacturers need to take responsibility for long-term security by supporting products for longer lifecycles and shipping products with cybersecurity features enabled.

Integrators need to shift their approach as well. Cybersecurity can no longer be an afterthought; it needs to be built into service contracts with ongoing maintenance plans that include regular firmware updates and security checks. Security technicians also need better training on cybersecurity best practices, so they are not just installing equipment but actively securing it. Instead of leaving security configurations up to the customer, integrators should ensure devices are adequately secured at installation.

End customers must stop assuming cybersecurity is someone else’s job and start demanding more transparency from manufacturers. If a vendor cannot tell you how they handle security updates, that’s a red flag. Security devices should also be segmented from the leading network to prevent a single compromised device from exposing an entire organization. Most importantly, cybersecurity maintenance needs to be budgeted for; treating it as a one-time cost is a recipe for disaster.

The solution is not a mystery; it is a matter of taking responsibility at every level. Whether you are a manufacturer, an integrator or a customer, it is time to stop passing the buck and start treating cybersecurity as the ongoing, critical process that it is.

This article originally appeared in the May / June 2025 issue of Security Today.

Featured

  • Smarter Access Starts with Flexibility

    Today’s workplaces are undergoing a rapid evolution, driven by hybrid work models, emerging smart technologies, and flexible work schedules. To keep pace with growing workplace demands, buildings are becoming more dynamic – capable of adapting to how people move, work, and interact in real-time. Read Now

  • Trends Keeping an Eye on Business Decisions

    Today, AI continues to transform the way data is used to make important business decisions. AI and the cloud together are redefining how video surveillance systems are being used to simulate human intelligence by combining data analysis, prediction, and process automation with minimal human intervention. Many organizations are upgrading their surveillance systems to reap the benefits of technologies like AI and cloud applications. Read Now

  • The Future is Happening Outside the Cloud

    For years, the cloud has captivated the physical security industry. And for good reason. Remote access, elastic scalability and simplified maintenance reshaped how we think about deploying and managing systems. But as the number of cameras grows and resolutions push from HD to 4K and beyond, the cloud’s limits are becoming unavoidable. Bandwidth bottlenecks. Latency lags. Rising storage costs. These are not abstract concerns. Read Now

  • Right-Wing Activist Charlie Kirk Dies After Utah Valley University Shooting

    Charlie Kirk, a popular conservative activist and founder of Turning Point USA, died Wednesday after being shot during an on-campus event at Utah Valley University in Orem, Utah Read Now

  • The Impact of Convergence Between IT and Physical Security

    For years, the worlds of physical security and information technology (IT) remained separate. While they shared common goals and interests, they often worked in silos. Read Now

Most   Popular

New Products

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.