SUBJECT:

Headline - A Warning to Consumers: In-home Personal Privacy May be at Risk (in-home video security cameras)!


Background:

Over the last ten years, consumer markets have seen an impressive number of new services that can be delivered via the internet (online banking, movies on demand, shopping and now home security monitoring).  These systems in of themselves are not the problem.  A new in-home security service that firms such ADT, Protection 1 and CPI are offering may have serious effects on Americans most sacred concern; that is, what we and our children do in the privacy of our homes.  The new security service enables in-home video monitoring and remote control of your system via the internet.  We may know these services as ADT Safewatch, eSecure or CPI InTouch. 


Click to Show CPI InTouch clip 1

Click to Show CPI InTouch clip 2


The trend to move online services into the cloud is something that we all have become accustomed to; the delivery of computer based services via the internet is worth hundreds of billions of dollars and is strong and growing.  However there’s a major concern.

 
Issue:

Each year the US Secret Service and Verizon perform an in depth data breach analysis, which focuses on external and internal attacks against company and government computer systems connected to the internet.  

In the 2017, US Secret Service and Verizon Data Breach Investigations Report (DBIR) uncovered: 

  • 98% of all intrusion resulting in data lost stemmed from external hacking

  • 4% of investigated intrusions implicated insiders that misused their privileges

Many experts in the information security industry, have observed this ratio of external and internal threats have evolved over time, however the revelation came from within the newest data, specific to how the breaches occurred.


DBIR shows that:

  • 97% where preventable with known security techniques/patches; and most troubling

  •  92% where discovered not by the breached companies’ own staff, but by a third party 


Main Point:

Today, many security companies rely on and are holders of the Underwriters Laboratory or UL Certification; and though the UL standards are well known and are an important element of assurance, they however do not cover how these firms maintain their information security technology.  Information Security experts have long understood the issue and see the problem clearly; today consumers need to be more aware of the policy and procedures that are in place at their home security company, prior to using internet connected in-home security video services.  

The idea that a teenager (or worst, someone targeting your family) connected to the internet, could hack into a security companies monitoring system because the company failed to load a software patch or leverage strong password controls, thereby allowing them  to view what is occurring within our homes, is troubling at best.  Most people would probably not want to see their lives recorded and placed out on YouTube for all to see.  Additionally, even though not directly stated, the 2012 DBIR data also suggests that there is more that security companies need to do.  They should protect our in-home privacy by ensuring that their own employees do not misuse access to their monitoring systems as a means to violate our privacy.  Remember it was not that long ago when IRS employees were fired for taking an unauthorized peak into celebrity tax records. In short, when it comes to protecting our family’s privacy versus relying on unexamined security companies operating practices, I believe that Past President Ronald Regan stated it best; “trust but verify”.


What security companies must do:

The key to national firms such as ADT, as well as regional ones like Protection1 and CPI Security ensuring that our privacy is being protected begins with a comprehensive security policy, vigorously implemented procedural best practices, diligence in execution and ongoing third party audited adherence reporting.  Remember 92% of security breaches were not even uncovered by the internal staff of companies whose systems have been and 4% were caused by a company’s own internal staff.  To address the noted vulnerabilities, Security companies can ensure that their Chief Information Officer or Head of Information Security hold the ISACA professional designation Certified in Risk and Information Systems Control (CRISC).   ISACA is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. 


What a consumer can do:

Consumers should request from security companies, a copy of their information security protection policy and annual third party audited performance reports.  It is important to keep in mind that none of the noted companies mentioned have had a reported breach.  It is however, in our best interest to ensure that security companies are as good at protecting our privacy by diligently managing their systems as they are at marketing new internet-based services.


References: 

Verizon & US Secret Service Report  

ADT Video Surveillance

Protection1 Video Surveillance

CPI Video Surveillance

UL Alarm Company  Certification Program 
 

About the Author:

Baron Thrower, serving as TTG's Managing Director/CIO and is the Information Technology & Security Advisory Senior Business Executive.  Additionally, he is the Practice Lead for the Technology Innovation, Protection and Cost Take-Out Practice.  Prior to TTG, Baron was the Senior Vice President of Infrastructure Technology at Liberty Mutual Group, Senior Vice President of Enterprise Architecture at Bank of America and Chief Information Officer of ITT Corporation.  Baron has more than 20 years of executive experience leading talented people, implementing business-enabling technology, privacy protection and creating value-focused processes.  Throughout his career, he has successfully reduced time to value, created new products and increased business revenues across numerous disciplines including customer service, supply chain and information technology.

He is a graduate of Langston University with a BS in Computer Science, is a Six Sigma Master Black Belt, a Member of the Society for Information Management and holds the distinguished ITIL Certified Information Service Management and ISACA Certified in Risk and Information Systems Control designations.