Steven Kenny, Industry Liaison, Architecture and Engineering at Axis Communications, discusses why education throughout the supply chain is critical for effective cybersecurity.
A change in approach to security has been required for a while. A combination of siloed communications, a lack of cybersecurity consideration at project inception stage and a security skills shortage has led to cyber breaches and data leaks becoming an all too familiar occurrence. This has led to many questioning the professionalism of current security measures and the security industry more broadly.
These are issues that must be tackled, and quickly. That said, a new standard in security that has been over six years in the making is now upon us. With the aim of opening lines of communication between supply chains, enhancing education and professionalism regarding cybersecurity and making certain that everybody is aware of the increasing amount of data protection challenges we are facing, the EU’s General Data Protection Regulation (GDPR) is now enshrined in law. While the GDPR does not mandate a specific set of cyber security measures, it does expect firms to take ‘appropriate’ actions. The security measures must be designed into systems from the outset (referred to as Privacy by Design) and maintained effectively throughout the life of the system.
A connected future – the rise of the Internet of Things
Just as GDPR is here to stay, so is the movement towards Internet of Things (IoT) technologies, designed to track and monitor systems looking for intelligent ways to boost efficiency. That could be industrial processes, it could be shoppers moving around a retail store, or it could be gym goers looking to improve their fitness levels with wearable health trackers. The concept of ‘smart’ cities has begun to emerge too, promising increased safety, security and more efficient use of resources in our ever more populated urban areas. Connected technologies are essential to building habitable and efficient cities of the future, but they also generate a huge amount of data, which is extremely valuable to cyber criminals. At a time when trust in large tech companies and big data solutions is ebbing, GDPR is a ‘tool’ that businesses who gather data, through smartphone apps, security cameras or other IoT devices, can leverage to show that they are on the end users’ side.
For a service or solution to be truly secure, and for data processors to be able to say that they meet GDPR’s requirements, security has to be a consideration in every stage of technology development and deployment. GDPR talks about privacy, security and data protection ‘by design and default’, which security professionals interpret as ensuring that vulnerabilities are tested for on a regular basis, with proactive mitigation measures put in place. Everyone involved needs to understand the security implications and best practices.
Education throughout the supply chain crucial to increase security
The main lesson GDPR teaches us is that good cybersecurity has to be all-inclusive. There’s no point investing in the best vendor-offered security solutions if they can be compromised by poor staff awareness or weak security in other devices to which they are connected. It’s important to invest in education, for companies of all sizes to turn heightened awareness around GDPR into a culture of cybersecurity which follows professional best practices when connecting devices to networks.
GDPR focusses on the responsibilities of data processors and controllers, and in our industry that means systems integrators and installers; but it has been made clear that manufacturers must include features in their products that allow data controllers to adhere to the law. This secure by design ethos offers vendors and installers the opportunity to address security from the outset of product design, deployment, and throughout its entire lifecycle.
For IoT solutions, this means deeper conversations throughout the supply chain to ensure that manufacturers and their suppliers are able to understand customer needs. But customers also need to do their research. They must understand that the technologies they deploy will have an impact on their cybersecurity. Installers must advise them to implement devices from trusted vendors who take a secure by design approach to product development.
So, collaboration must exist between vendor, installer and end user. Today, thorough testing and plans for deploying firmware upgrades tend to be left if not to the last minute, then at least until it’s too late to make major changes to a deployment plan. One misconfigured component could be enough to circumvent designed control systems and can be easy to miss if testing isn’t conducted early on. Spotting these kinds of issues requires true collaboration from the outset.
There’s an opportunity for manufacturers who understand their customers’ needs in this regard to get ahead of the game and help to pre-empt those questions that their implementing partners should be asking. And the more this can happen, the more the phrase ‘GDPR compliant’ will be synonymous not with automated email list tools, but with design for a safer, smarter world.
Industry Liaison, Architecture & Engineering Axis Communications