Something needs to change when you’re confronted by the present situation whereby devices professing to be ‘Smart’ or part of a ‘Smarter System’ ask for personal data, but are then easily hacked into by criminals such that valuable personal information can be stolen. In an exclusive article for Risk Xtra, James Willison and Sarb Sembhi examine stakeholder roles in achieving data protection (and security) by design and default in smart projects with Internet of Things (IoT) devices.
We’ve just published a new approach to the European Union’s General Data Protection Regulation (GDPR) for security professionals and the stakeholders whom they deal with on a daily basis. The 40-page White Paper, which is sponsored by Axis Communications, stands out because, until now, many colleagues in the security world have lived under the mistaken assumption that GDPR compliance isn’t something that falls within their remit, but is instead managed either by legal, IT or compliance professionals. At least in part, this is based on the assumption that their security teams are not data controllers or processors. As far as they’re concerned, the lengthy 200-plus pages of legislation issued by the EU isn’t something they need to worry about.
However, the in-house security manager can often be described as a project manager in a large-scale surveillance system implementation, for example, and will therefore need to ensure that the devices and systems duly deployed are secure by both design and default. He or she should also work closely with others involved with the project to guarantee that the systems and devices employed harbour data protection (ie privacy) by design and default.
In the first half of the White Paper, which is entitled ‘Smart GDPR Assurance for a Smarter World’, we cover in some detail the different ways in which the Internet and the increasing volume of data which connects to IoT systems has meant that personally identifiable information is now placed at a higher risk than it was back in the 1990s. As Professor Klaus Schwab, CEO of the World Economic Forum, has stated on page 59 of his book entitled ‘The Fourth Industrial Revolution’ (published in 2016): “The digital transformations of industry mean that businesses will need to invest heavily in cyber and data security systems in order to avoid direct disruption by criminals and activists or unintentional failures in digital infrastructure.”
This has led to the GDPR being written for the protection of the individual’s data privacy and security. It also usually means that the systems involved – and, indeed, those who manage them – often need to demonstrate compliance through the transaction of Data Protection Impact Assessments (DPIA) because of their large-scale nature and the use of innovative technologies such as biometrics and CCTV in ‘Smart Buildings’.
Large-scale IoT ‘Smart’ environments
In our new White Paper, we’ve deliberately dedicated a chapter to those technologies, products and services related to large-scale IoT ‘Smart’ environments and briefly outline some that have provided greater functionality, but that have also created increasing concerns in terms of the data collected (or what that data is used for). This includes a consideration of key areas such as Big Data analytics, cloud computing, Artificial Intelligence, machine learning, sensors, medical devices, physical security systems, surveillance monitoring services and Security Information and Event Management services.
We then introduce scenarios such as ‘Smart Vehicles’ and ‘Smart Buildings’ because these are prime examples of how stakeholders are involved in the protection of high volumes of data and, given the connection here to the individual (whether that’s a passenger or consumer), their privacy and security is vulnerable to attack from those with criminal intent. For the owners of large IoT installations such as ‘Smart Buildings’ or ‘Smart Cities’, processing data in compliance with the GDPR becomes a complex procedure since there’s a vast number of suppliers who contributed to the final working solution and may not have known what they need to do in order to assist with that compliance.
In the second half of the document, we group together important control mechanisms for all the stakeholders in a large IoT ‘Smart’ project. The various groups of obligations across the supply chain in order to comply with the GDPR can be broken down into the following:
*the obvious legal obligations of data controllers and data processors to comply with the GDPR
*the less obvious obligations of manufacturers to (a) comply with the clarified ‘Opinion’ of the Article 29 Working Party and (b) assist customers in complying more easily with their own legal obligations
*the obligation of the post-production suppliers to ensure that the service they provide assists the manufacturer in meeting its own obligations (and those of its customers)
The major difference between the last two here is that the third group could design data protection and security into the product or service at an earlier stage of the development, whereas the fourth group mainly implements the controls once they’re already built into the product or service provided.
Our White Paper is targeted at the last three groups on the assumption that most data controllers and data processors know they need to comply with the GDPR. To help in attaining that state of compliance, we’ve provided collated lists of seven groups of control mechanisms, in turn enabling the supply chain stakeholder to ensure that it’s providing added value to be competitive and make IoT products and services more secure with built-in functionality which places data protection at the very heart of the service.
Pre-production and post-production phases
We focus on the role of manufacturers, project managers, designers, consultants, software suppliers and installers in the pre-production and post-production phases of any large-scale project. What we discuss applies to SMEs who could be component manufacturers or code-makers. Hence, there’s the inclusion of small and medium-sized enterprises (SMEs) who might act as suppliers to the larger enterprise.
In fact, it’s often SME data which is less secure and provides an ‘easy way in’ for a cyber attacker to gain access to personal information which might then mean a large fine from the Information Commissioner’s Office post-investigation. It’s now vital that project managers who are responsible for these systems give the organisation assurance that valuable information is protected. Failure to do so could mean quite serious implications for the security team as past cyber attacks have included compromises of HVAC, CCTV and other physical security systems.
Should a hefty fine result, it’s then likely that questions will be asked of the security team. In fact, the largest fines to date for Target’s data breach have involved an HVAC system third party supplier.
Our new White Paper covers a wide range of principles and control mechanisms which, if readily practised, will make a real difference to the security strategy and management of these risks. We emphasise how large volumes of data and innovative technologies in large-scale projects such as ‘Smart Buildings’, ‘Smart Shopping’ and ‘Smart Healthcare’ now involve new requirements from the GDPR for DPIA.
It must also be recognised that the security manager may not be required to lead the assessment, but he or she will nevertheless need to understand a complex risk scenario (which our White Paper introduces). The project manager can evidence good security practise by requiring stakeholders – ie the systems manufacturers, designers, integrators and installers – to actively demonstrate that they’re following the legislation.
Overview of the GDPR
We’ve also provided an overview of the GDPR aimed at those practitioners who are perhaps less familiar with the legislation and who want a summary of some of the main principles and points to consider in ‘Smart’ projects using IoT devices. The key resources on which the guidance outlined in the White Paper is based are listed for further study.
In conclusion, it’s recommended that all stakeholders collaborate and establish diverse cross-functional teams, as discussed in the White Paper entitled ‘Supporting Enterprise Security Risk Management: How Vendors Can Support ESRM and CSM’ (published by Unified Security Ltd in 2017). The privacy and security of people’s data is most likely to be maintained by dint of organisational functions and stakeholders across the supply chain actively working together towards a common goal.
We welcome Axis Communications’ demonstrable commitment to the GDPR and its ongoing support for privacy and security by design and default, and also recognise the excellent work that the business has undertaken internally to achieve some of the recommendations proposed.
Steven Kenny (industry liaison for architecture and engineering at Axis Communications) writes in the Foreword to our document: “GDPR compliance is the first step in winning back trust from a public wary of corporate overreach on issues of personal data. Companies that see beyond compliance and embrace the underlying logic of ‘privacy by design’ are the ones who’ll succeed in the long term, both in terms of defending against cyber attacks and maintaining their reputations. If the conversation has changed into something more positive, the challenges of GDPR compliance and developing a strong security culture remain. That is why we have been enthusiastic in supporting this White Paper which we believe will help companies navigate the changing world of cyber security.”
James Willison BA MA MSyI is Founder of Unified Security Ltd. Sarb Sembhi CISM is CTO and CISO at Virtually Informed Ltd
*To download copies of ‘Smart GDPR Assurance for a Smarter World’ visit http://www.axis-communications.com/smart-assurance-wp