Cybersecurity for Security Installers: Your Responsibility Does Not End at the Physical Install

Cybersecurity for security installers has become as important as the physical installation itself. Every alarm panel, security camera, NVR, and access controller installed in 2026 is an IP-connected network device that faces the same cyber threats as any computer or server. Yet the training and practices of many security installers have not kept pace with this reality. A camera professionally installed with perfect positioning and crystal-clear image quality can still be a security liability if it is left running default credentials on an unsegmented network with outdated firmware and UPnP-enabled remote access.

For alarm and CCTV installers working across New Zealand, integrating cybersecurity best practices into every installation is no longer optional — it is a professional obligation. Clients trust you to make their property more secure, and a networked security system with poor cyber hygiene can achieve the opposite, creating vulnerabilities that did not exist before the installation.

The Installer’s Cybersecurity Responsibility

The relationship between a security installer and their client creates an implicit expectation: the system you install will make the property more secure than it was before. When that system introduces network vulnerabilities — open ports, default passwords, unencrypted communications — it potentially makes the property less secure by giving attackers a foothold they did not previously have.

This is not a theoretical concern. High-profile incidents have demonstrated that compromised security cameras and alarm systems can be used to:

• Stream private footage to public websites without the owner’s knowledge
• Disable alarm systems remotely, clearing the way for physical intrusion
• Recruit devices into botnets that attack other systems
• Pivot through the security system to access other devices on the client’s network, including computers with sensitive data
• Intercept alarm signals, preventing legitimate alerts from reaching the monitoring centre

As the professional who configures and commissions these systems, the installer is uniquely positioned — and arguably uniquely responsible — to ensure they are hardened against these threats.

Essential Cybersecurity Steps for Every Installation

1. Change Every Default Password

This is the single most critical cybersecurity action, and the one most frequently neglected. Every camera, NVR, alarm panel, and network device ships with a default administrative password. These defaults are publicly documented in user manuals, online databases, and hacking tools. Leaving any device on a default password is equivalent to leaving the front door unlocked.

Best practice for password management during installation:

• Generate a unique, strong password for each device — at least 12 characters with a mix of upper and lower case letters, numbers, and symbols
• Use a different password for each device, not a single password across the entire installation
• Document all passwords securely and provide them to the client in a sealed envelope or encrypted file
• Never use your company’s standard password across multiple client installations — if one site is compromised, all sites using the same password are vulnerable

2. Disable UPnP on the Router

Universal Plug and Play allows devices to automatically open ports on the client’s router, exposing them to the internet. While this makes remote access configuration easier, it also makes the devices discoverable and accessible to anyone scanning the internet. Disable UPnP on the client’s router and configure any required remote access manually using specific port forwarding rules — or, better yet, use the manufacturer’s P2P cloud service that does not require open ports at all.

3. Enable HTTPS and Disable HTTP

Ensure that the web interfaces of all cameras, NVRs, and alarm panels use HTTPS (encrypted) connections rather than HTTP (unencrypted). When devices communicate over HTTP, login credentials and configuration data travel across the network in plain text, visible to anyone with access to network traffic. Most current-generation security devices support HTTPS — enable it during commissioning and disable HTTP access entirely once HTTPS is confirmed working.

4. Update Firmware Before Handover

Before handing the system to the client, update the firmware on every device to the latest version available from the manufacturer. This ensures that known vulnerabilities patched since the device was manufactured are addressed before the system goes live. Document the firmware versions installed and advise the client on the importance of ongoing updates.

5. Segment Security Devices on Their Own Network

Wherever practical, configure security cameras and alarm devices on a separate VLAN or subnet from the client’s general IT network. This segmentation prevents a compromised security device from being used to attack computers, file servers, or point-of-sale systems on the client’s primary network.

For residential installations where VLAN configuration may be impractical, recommend that the client places IoT devices on a separate Wi-Fi network (most modern routers support this) isolated from their personal devices.

Network Configuration Best Practices

Remote Access Security

Clients expect to view cameras and receive alarm notifications on their phones. The method used to enable this remote access is one of the most significant cybersecurity decisions in any installation.

Preferred method — P2P cloud services: Most major security manufacturers offer proprietary cloud services (Hik-Connect, Dahua DMSS, Ajax Cloud, etc.) that enable remote access without opening any ports on the client’s router. The device establishes an outbound encrypted connection to the manufacturer’s cloud server, and the mobile app connects to the same server. No inbound ports are needed, dramatically reducing the attack surface.

Acceptable method — VPN access: For clients who prefer not to use cloud services, configuring a VPN on the router provides encrypted remote access to the local network without exposing individual device ports to the internet.

Method to avoid — direct port forwarding: Opening ports on the router to expose camera or NVR web interfaces directly to the internet is the highest-risk remote access configuration. If this method must be used, use non-standard port numbers, ensure HTTPS is enabled, and use the strongest available authentication.

Disabling Unnecessary Services

Security cameras and NVRs often have services enabled by default that are not needed for the specific installation. SSH access, Telnet, FTP, SNMP, and multicast streaming may all be enabled out of the box. Disable any service that is not specifically required for the system to function. Each enabled service is a potential entry point for an attacker.

Documentation and Client Education

A cybersecurity-conscious installation includes documentation and client education that extends beyond the physical system operation.

Provide the client with:

• A record of all device passwords (stored securely)
• The firmware versions installed on each device
• Instructions for checking and applying firmware updates
• A clear explanation of why passwords should not be changed to simple memorable phrases
• Guidance on recognising phishing emails that may target their security system credentials
• A recommended schedule for firmware checks (quarterly at minimum)

A security system installed with default passwords, open ports, and outdated firmware is not a security system — it is a vulnerability. The few extra minutes spent on cybersecurity hardening during installation protect both your client and your professional reputation.

Ongoing Responsibility and Maintenance Contracts

Cybersecurity is not a one-time configuration — it requires ongoing attention as new vulnerabilities are discovered and new firmware versions are released. For installers, this represents both a responsibility and a business opportunity.

Offering a maintenance contract that includes periodic firmware updates, password rotation, and security audits provides ongoing revenue while ensuring that the systems you installed remain secure over their operational life. Clients who understand the importance of cybersecurity maintenance are typically willing to pay for this service, especially when the alternative — a compromised security system — is clearly explained.

For commercial clients, annual or semi-annual security audits that review firmware versions, check for exposed ports, verify password policies, and test communication encryption provide documented assurance that the system remains secure. This documentation can also support the client’s compliance requirements under industry regulations and insurance policies.

The security industry’s credibility depends on installers taking cybersecurity as seriously as they take physical security. Every installation is an opportunity to demonstrate professionalism, protect your client, and differentiate your business from competitors who still treat cybersecurity as an afterthought. The technical steps are not complex — they simply need to be consistently applied to every job, every time.