Tuesday 27 January 2026 - Chelsea Peplow
Across the UK, cyber security is no longer a specialist concern reserved for IT teams, but a national resilience priority. As physical and digital infrastructure converge, even traditional security systems such as intruder alarms, access control, and video surveillence systems now directly sit on IT networks. This shift has created a new reality: every connected security product is now a potential risk if not deployed responsibily.
The UK government has recognised this through frameworks like the PSTI Act (Product Security and Telecommunications Infrastructure Act), which mandates baseline cyber hygiene for consumer IoT (Internet of Things) products. In the professional security sector, however, baseline is no longer enough - with devices that are highly interconnected, business-critical, and increasingly becoming managed by cloud platforms.
To meet this challenge, the BSIA and its members have introduced CySPAG - the Cyber Security Product Assurance Group. It is an industry-led initiative that is designed to close the cyber gap in the professional security sector, and give end users the confidence they need that the systems protecting their sites aren't inadvertently opening the door to attackers.
The UK has seen an escalation of cyber threats that exploit weaknesses in physical security products:
Security manufacturers and integrators increasingly rely on cloud connectivity, remote access, and embedded firmware. This has made them attractive targets to hackers and cyber criminals. A compromise in a single camera, access reader, or NVR isn't just a device-level issue. It can provide visiblity to entire networks and business operations.
The "fit and forget" mindset is still common. Devices stay in place for years without firmware updates, installers default to factory passwords, and network segmentation is inconsistent. These pracrtices inadvertantly create vulnerabilities that attackers actively seek out.
While the UK is making strides in general cyber awareness, the professional security sector faces a unique challenge: installers are usually the last hands on a system before it goes live, yet many have never been formally trained to be cyber-resillient.
Unlike generic cyber standards, CySPAG has been created by the professional securtiy industry, for the professional security industry. It recognises that physical security products are no longer isolated, but connected devices with cyber exposure.
CySPAG sets out clear expectations for both manufacturers and installers, ensuring secure design, secure deployment, and secure lifecycle management.
While the PTSI Act sets a baseline for cyber security, CySPAG's guidance and self-declaration frameworks surpass it. Manufacturers and isntallers must evidence their policies, update mechanisms, vulnerability disclosure processes, and cyber-responsible installation practices.
CySPAG emphasises installer responsibility in cyber hygiene. From changing default passwords and disabling unused services to documenting configurations securely, it ensures installers actively contribute to cyber resilience rather than unintentionally eroding it.
By choosing CySPAG Registered Manufacturers or Installers, clients know they are working with organisations that follow industry-leading best practice. This strengthens trust thoughout the supply chain.
CySPAG represents exactly what the UK security sector needs right now: collaboration, improvement, and commitment. The message to the market is clear: Physical security is, and will be, cyber security - and CySPAG is the framework that brings these worlds together.
As organisations continue to modernise their estates, embrace IoT technologies, and rely more heavily on cloud-connected systems, CySPAG will play a pivotal role in keeping UK businesses, public services, and communities safe.