Why AV is an Overlooked Cybersecurity Risk

Because AV equipment is not always seen as ‘business critical’ and is sometimes managed separately from the core IT infrastructure, it is frequently assumed to be safe – isolated on its own network or low risk by nature. But this complacency is dangerous. Many devices operate on older versions of software packages which are not always updated even when new versions are released for the device. This creates vulnerabilities in the system.

While hybrid working has brought convenience it’s also increased risk. Remote access may speed up troubleshooting, but it also expands the attack surface. Social engineering attacks such as phishing can trick users into handing over access credentials, especially when awareness is low.

As cyber attackers become more sophisticated, they’re shifting their attention to overlooked entry points like AV infrastructure. A good example is YouTuber Jim Browning’s infiltration of a scam call centre, where he used unsecured CCTV systems to monitor and expose criminals in real time. This highlights the potential for AV vulnerabilities to be exploited for intelligence gathering.

To counter these risks, organisations must adopt a more proactive approach. Simulated social engineering and phishing attacks can help assess user awareness and expose vulnerabilities in behaviour. These simulations should be backed by ongoing training that equips staff to recognise manipulation tactics and understand the value of security hygiene.

In parallel, organisations that use third parties for remote support should be prioritise partners that undergo independent security audits such as ISO 27001 and Cyber Essentials Plus. These accreditations help ensure that strict controls are in place around remote access, including the use of secure management tools and clearly defined policies governing their use.

Not all AV vulnerabilities are created equal. That’s where the Common Vulnerability Scoring System (CVSS) comes in. CVSS helps IT and AV teams prioritise their response by evaluating the complexity of an attack, the scope of its potential impact, and its effect on confidentiality, integrity, and availability.

Vulnerabilities with CVSS scores above 7.5 should prompt swift mitigation. Those rated at the maximum 10 out of 10 require immediate action due to their high severity and low complexity of exploitation. That said, patching these vulnerabilities isn’t always straightforward. In complex, interconnected AV environments, patching updates can introduce compatibility issues that disrupt operations. Organisations should adopt a measured, risk-based approach, balancing the likelihood of exploitation against operational stability.

The severity of breaches also depends on the device and its role. Compromised management interfaces or control code could allow attackers to manipulate systems or access other network devices. Exploited cameras and microphones can lead to breaches of video or audio data, posing serious privacy risks and enabling unauthorised surveillance.

To mitigate the risks posed by vulnerable AV systems, organisations should take a proactive and layered approach to security. This includes regularly updating device firmware and underlying software packages, which are often left outdated even when new versions are available. Strong password policies should be enforced, particularly on devices running webservers, with security practices aligned to standards like the OWASP Top 10.

Physical access to AV infrastructure must also be tightly controlled to prevent unauthorised LAN connections. Where legacy protocols like SCP, SFTP, FTP, or Telnet are still in use, these should be hardened or disabled wherever possible. Encrypting communication between devices using modern protocols such as TLS 1.3, and ensuring appropriate cipher suites are in place, helps safeguard data in transit. Similarly, encrypting data at rest, whether configuration files, control code or temporary data, adds another layer of protection, limiting the damage that can result from a breach.

Ultimately, security is a shared responsibility. While network teams play a central role in defending infrastructure, leaving all security decisions to them can be shortsighted. Many vulnerabilities stem from device-specific issues such as outdated firmware, default configurations, or poorly managed passwords that cannot always be mitigated by network controls alone. Even a well-configured device can present risks if it’s connected to a poorly segmented or insecure network.

AV professionals, IT leads, and vendors need to collaborate closely, sharing expertise and intelligence to identify vulnerabilities and address integration challenges. AV teams must take an active role by ensuring devices are updated and properly configured before deployment, clearly communicating potential risks and requirements to network teams, and following best practices such as implementing VLANs, restricting unnecessary traffic, and enabling secure management protocols.

AV systems may not be the first thing you think of when you hear ‘cybersecurity risk’ and that’s exactly the problem. From data leaks and surveillance breaches to unauthorised lateral movement across networks, the consequences of ignoring AV security are real. It’s time to treat AV like the critical infrastructure it has become. If you’re considering an AV installation, make security part of the conversation. Contact Cinos to see how we deliver technology that’s both effective and protected.