Of course, security is a huge concern in this day and age. Even before the "hacks" of default-passworded devices became publicized, Dahua cams (and probably Hiks too) had been observed communicating with IPs in China for unclear reasons.
For Hiks, I think the answer is two-fold - disable platform access to stop that vector, and then get yourself a nice firewall. I use pfSense, a free, open-source software firewall that runs on an old computer. My pfSense install is setup to do 3 main things to stop attackers:
1)
Blue Iris and all cams are VLAN'ed onto a different subnet that can't talk to any other subnet on my LAN - I have long worried that Blue Iris or Hiks might get hacked, and containing them in this way ensures that an attacker couldn't jump to any other devices on my LAN, just because they got in through a device on the VLAN. Note that other devices on the LAN can talk to the security cam VLAN, so managing Blue Iris (or using Remote Desktop to manage the Blue Iris server) is still easy.
2) On the security cam VLAN, pfSense has rules to completely disallow the Hikvision cams to talk to the internet, except for time.windows.com (to set time). This completely prevents the Hiks from phoning home or from being accessed from the WAN. The Blue Iris server gets full outbound access to the WAN, and the inbound access (for remote Blue Iris viewing) has a different default port and is scheduled to only allow access to Blue Iris from the WAN during work hours. The ability to schedule firewall rules like this is one thing that makes pfSense a cut above your regular consumer-level routers.
3) pfSense can be setup to provide all major forms of VPN, and configuring it properly is a 10 minute job. Any access to Blue Iris (or other systems on the LAN) that is needed outside of work hours can be accomplished just by VPN-ing in and loading Blue Iris.
Considering one can easily spend $200 for a fancy all-in-one wireless A/C router from Netgear or Linksys, I think it's a comparatively great deal to get something like an old
i3-3220 computer, paired with a
Ubiquiti UAC-AC-Lite wireless access point, a
basic, managed gigabit switch, and a second gigabit network card for your pfSense box. All together, these items cost about the same as a $200 router, but can be configured to be way more secure than a consumer router ever could.