Securing AV Systems: Why You Can’t Afford to Ignore the Risks

“Securing AV systems. Not everybody’s favorite topic, but it’s critical,” said host Steve Greenblatt as he opened Episode 131 of A State of Control. For many IT and AV leaders, security conversations still feel like a burden. Yet the reality is unavoidable: every connected device in a conference room, classroom, or command center represents another potential point of entry for attackers.

In this episode, Greenblatt was joined by co-host Rich Fregosa and returning guest Paul Konikowski of Kronos LLC. Together they unpacked why AV is no longer a side note in enterprise security strategies and what decision makers need to do about it.

Expanding Attack Surfaces

Konikowski, a longtime advocate for AV security, framed the issue in simple terms: “As we add more and more AV devices to a network, we’re basically increasing that attack surface that a hacker could come in and do something bad.”

From unpatched wireless presentation systems to cameras streaming unencrypted video, AV gear can easily become a pivot point for attackers. Worse, default passwords and overlooked firmware updates often go unnoticed until they’re exploited. California’s SB-327 law requiring unique device passwords was a start, but, as Konikowski noted, “these laws are passing, yet AV often lags behind IT in patching and accountability.”

When Heads Roll

For Fregosa, the stakes are both technical and reputational. He shared a hard truth that decision makers sometimes overlook: “When an event happens, people get angry and look for somebody to blame. You don’t want to be the person to blame.”

He recounted projects where even peripheral involvement in a breach meant vendors had to prove, with documentation, that their systems weren’t the source. That’s why shortcuts, like texting passwords or skipping encryption to meet a deadline, carry risks far beyond a single project. In the worst cases, they can cost integrators clients or even sink companies.

Shifting from Convenience to Process

The conversation highlighted a cultural shift that must happen across AV projects. For decades, success meant systems worked reliably and on time. Today, reliability without security is a liability.

Greenblatt underscored the point: “It does require a little extra effort and a little thinking outside the box… but it’s part of the professionalism of our business.”

That extra effort includes:

• Assigning responsibility for firmware updates.
• Using multifactor authentication (MFA) wherever possible.
• Locking down user privileges so not everyone is an admin.
• Documenting security processes from project kickoff through closeout.

Testing, Training, and Transparency

Looking ahead, Konikowski predicted that penetration testing of AV systems, once considered far-fetched, will increasingly be driven by clients. “The bigger corporate clients will hire penetration testers, third-party or internal red teams, to try to hack different things and get access,” he explained.

He also hinted at industry rumblings of hands-on training environments where integrators can practice uncovering vulnerabilities in lab conditions. That kind of transparency, though uncomfortable, may be necessary to bring AV up to the level of scrutiny already expected in IT.

Why AV Security

The episode closed on a sober reminder: AV systems are no longer “set and forget” installations. They are fully networked, data-rich environments. And while no system will ever be 100% secure, organizations that treat AV security as optional are leaving the door open to risk.

For IT and AV leaders, the call to action is clear: demand secure practices from integrators, ensure teams follow documented processes, and foster a culture where security is everyone’s responsibility.

Because, as Konikowski put it bluntly, “I just kind of assume everything is compromisable and try to isolate it.”

Listen to the full episode of A State of Control 131 here.