AV: the boardroom blind spot

When a major cyber-attack hits the headlines, the story usually focuses on the victim, the retailer, the bank, the government department. But the hard lesson of 2025 has been that in many cases, the target wasn’t the first organisation compromised. Attackers now often enter through a supplier or an overlooked system, then use that access to move sideways to their real prize.

 

That’s why supply chain security is now a board-level topic. But despite this new focus, there’s a universal risk area still flying under the radar for many organisations in the form of audio-visual (AV) technology.

 

This might surprise some leaders. AV is sometimes still treated as facilities tech: screens, microphones, room kits. Useful, but not critical. The reality is very different. Modern AV is networked, software-driven and deeply integrated into how businesses operate. In other words, it’s part of the IT estate and, as a result, is very much part of the attack surface.

 

Kinly’s Trusted Connections 2025 research found that 31 per cent of organisations say their AV security is not fit for purpose. Almost half don’t value, or even recognise, AV’s role in maximising overall security. Those numbers point to a dangerous gap between what AV has become and how it’s still being managed.

 

 

No longer just kit in a room

Walk into any office, university, hospital or public-sector HQ and AV is everywhere. It powers executive boardrooms, hybrid meeting rooms, training suites, command centres and customer-facing spaces. It sits on the corporate network, connects to collaboration platforms including Teams, Webex and Zoom, and increasingly relies on cloud services to manage and update devices.

 

The business benefits are obvious. You experience better communication, more productive hybrid teams and richer experiences for staff and customers. The risk is less obvious, until you look at AV through the eyes of a security professional.

 

AV systems are effectively computers that listen and see. They have operating systems, firmware, storage and admin access. They are also a vessel for generating and carrying sensitive information, meaning they can no longer be treated as passive hardware.

 

Think about what happens in the boardroom. It’s where some of the most confidential conversations happen, from M&A activity and budgets, to whistleblowing and risk. If AV systems in those spaces aren’t governed and managed like other networked technology, they can quickly become an overlooked source of exposure.

 

 

Why supply chains matter

AV sits in a uniquely tricky spot for accountability. Procurement and oversight often fall across multiple functions. Devices may be installed by one department, supported by another and remotely managed by an external service provider. This diffused ownership can create blind spots.

 

We see the knock-on effect in supply-chain risk. The UK Government’s Cyber Security Breaches Survey 2025 found only 14 per cent of UK businesses have formally reviewed the cyber-security risks posed by their immediate suppliers. So, while organisations are tightening their own ship, many still don’t have clear expectations for the partners operating inside their perimeters.

 

Laws such as DORA, NIS2 and the forthcoming UK Cyber Security & Resilience Bill improve this, but security professionals view laws as a baseline, not a standard that should be aspired to.

 

AV suppliers and integrators are part of that chain and they’re rarely the end target for attackers; they’re the stepping stone. If one supplier has weak processes, misconfigured devices or loose credential controls, attackers can exploit that trust to reach multiple customers. That’s what makes this a business resilience issue.

 

 

The problem isn’t lack of knowledge, it’s lack of application

If you work in cyber-security, the fix isn’t mysterious. The world already knows what good security looks like: build systems securely, harden them properly, keep them patched, log activity and control access tightly. The problem is that these disciplines haven’t historically been applied consistently to AV.

 

I often describe it in the same way. We haven’t reinvented the wheel; we’ve just put it in a new vehicle. The security principles are proven. They simply needed to be translated into a clear and unified AV standard that any organisation could follow and verify.

 

That’s why we created the AV Security Standards, an industry first guidance that is open and free to use. AV security can’t be fixed one company at a time. The baseline needs to rise across the whole sector.

 

At their core, the standards provide end-to-end security guidance for AV, covering everything from system design to ongoing operation and safe decommissioning. They start with Secure by Design principles, ensuring security isn’t treated as a tick-box at handover but built into projects from day one. If it isn’t, organisations end up paying for it later in disruption, cost and risk.

 

The standards also set clearer expectations for suppliers by defining criteria for devices and vendors before anything is deployed, reducing the chance of hidden weaknesses entering the estate. From there, they focus on operational discipline, often where the biggest risks sit. That means keeping systems evergreen through hardening, patching and proper monitoring, so AV is treated like dependable business infrastructure rather than an unmanaged liability.

 

Finally, they cover safe end-of-life, recognising that retired kit can still hold data and credentials, so disposal and replacement need to be handled securely, too.

 

In practice, that also means controls like identity management, removing default admin accounts, enforcing multi-factor authentication and centralised logging. The business outcomes are simple: fewer weak links, fewer surprises and a clearer view of what’s on your network and in your meeting rooms.

 

 

The hidden human cost

Beyond the financial and operational damage, major incidents put huge strain on the teams responding to them.

 

When a breach spreads through an overlooked gap, response teams are pulled into long, high-stakes cycles of containment, recovery, legal and customer communications and repeated scrutiny from leadership and regulators. That environment is exhausting and it’s one reason why resilience can’t rely on heroics.

 

Clear, repeatable standards help reduce the likelihood of avoidable incidents. Just as importantly, they help organisations respond in a calmer and more controlled way when something does go wrong.

 

 

The next steps for business leaders

If AV is in your rooms, it needs to be in your risk model.

 

Treat it for what it is, a connected infrastructure that supports the most sensitive and valuable moments in your organisation. Build it securely. Patch it. Audit it. Demand standards from your suppliers. Make sure AV is not the blind spot that turns your supply chain into an access route.

 

Because attackers don’t care whether a device is labelled IT or AV. They care whether it’s the easiest way in. Right now, and all too often, AV can be.

 

---

 

Dr Jim Johnstone, D.Eng., CISSP is Chief Information Security Officer at Yorktel-Kinly

 

Main image courtesy of iStockPhoto.com and .shock