When most businesses think about cybersecurity, they think about computers. Laptops, email, passwords, the network. There’s usually a managed IT provider running updates, watching for threats, making sure the software is current. 

What almost nobody thinks about: the cameras on the ceiling and the badge readers next to the doors. 

Those devices are computers too. They run software and connect to your IT network. And in most offices, nobody is keeping them updated, which means those devices also have security gaps that are not being addressed. 

Your Security Devices Are on the Same Network as Your Sensitive Data 

The cameras and badge readers of your security system aren’t isolated equipment. They’re connected to the same IT network that runs your computers, files, and sensitive data live on.  

Every device that connects to a network runs software, and every piece of software requires regular updates to stay secure. Your IT provider handles that for your computers and servers. But in most offices, no one is doing the same thing for the cameras and badge readers. 

The result is a device that looks like it’s doing its job. The light is green; the door opens but is quietly running outdated software with known vulnerabilities. To someone looking for a way into your network, that’s an open door. 

The Businesses Getting Hit Look a Lot Like Yours 

Professional service firms, law offices, accounting practices, insurance agencies and medical offices all hold sensitive personal information — exactly the kind attackers are looking for. That data is exactly what makes these businesses attractive targets. An outdated, unmanaged security device on the network is one of the easier ways in. 

The examples are recent and the costs are significant: 

• A prominent U.S. law firm discovered in 2023 that an unauthorized actor had accessed files on its network — ultimately exposing the personal information of approximately 3.5 million people.¹  

• A New York medical group suffered a breach that same year compromising patient Social Security numbers and insurance data, resulting in a $4 million class-action settlement.²  

• A group of auto insurers was hit with $14.2 million in regulatory penalties in 2025 after hackers stole data on 825,000 drivers through unprotected digital tools.³ 

These aren’t outliers. The American Bar Association (ABA) found that 29% of law firms reported experiencing a security breach.⁴ Among insurers, 85% reported experiencing a cyberattack recently.⁵ Across professional services, breaches of sensitive client data have become routine. 

Your Insurance Policy May Not Cover It 

Cyber insurance has become standard for most professional service businesses. But the coverage that businesses think they have and the coverage they actually have are increasingly different things. 

Policies now commonly contain exclusions for incidents caused by known vulnerabilities that weren’t addressed. In plain terms: if your system was running outdated software that had a known security flaw, and a breach happenedthrough that flaw, the insurer has grounds to deny the claim. 

The camera on the wall. The door reader. The controller box in the storage room. Any can void the policy. 

The average cyber incident cost for a small or mid-size professional services firm around $300,000.⁶ Ransomware incidents average $485,000. A data breach involving inadequate safeguards can reach $4.88 million in total costs.⁷Those are the numbers that sit behind a denied claim. 

What Your IT Provider Isn’t Covering 

Your managed IT provider handles your computers, your network, your email. They’re not responsible for the physical security system, and it falls outside everyone’s scope. 

That’s what gets overlooked. The devices likely to be running outdated software are the ones nobody manages regularly. Not because of a deliberate choice to leave them unmanaged. Because no one was assigned to manage them. 

When your cyber insurance policy comes up for renewal, the questionnaire is getting longer. Insurers are asking more detailed questions about security posture, including physical systems. The businesses that can document active management of their cameras and door access system are in a materially different position than the ones that can’t. 

Want to learn more? Find out what an unmanaged physical security system looks like to an insurer, a regulator, and a client asking questions and doing their due diligence. 

This is the final post in the Security Without Surprises series.  

Sources 

¹ Wolf Haldenstein Adler Freeman & Herz LLP, data breach notice published January 2025. Reported by Bitdefender, January 17, 2025. 

² Essen Medical Associates, P.C. (New York). March 2023 data breach; $4 million class-action settlement agreed March 2026. 

³ New York Attorney General’s Office, Attorney General James Secures $14.2 Million from Car Insurance Companies Over Data Breaches, 2025 ⁴ American Bar Association, 2023 Legal Technology Survey Report: Technology Basics & Security.  

⁵ Accenture, Global Insurance Consumer Study 2023. 

⁶ NetDiligence, Cyber Claims Study 2024. 

⁷ IBM, Cost of a Data Breach Report 2024.