The General Data Protection Regulation (GDPR) is a huge consideration for businesses across the globe. The key tenets of the regulation, including fines of four percent of annual group turnover or €20m, whichever is higher, should now be well known by all industries.
Currently, however, only 43 percent of organisations are said to be actively preparing for GDPR. This could result not only in increased risk displacement, exposing poorly secured businesses to threats as their counterparts invest in technology to ensure security and compliance, but also bring with it the potential for significant fines.
A particular risk is the security of networked devices, with various threats utilising IoT technology as a staging ground for wider attacks. The cyber landscape is changing on an almost daily basis. Should an organisation ensure the security of its network on a Monday, by the Friday, the situation may have changed drastically with the addition of unsecured technology – either from employees or direct from the manufacturer.
As demonstrated by the recent global WannaCrypt ransomware infection, attacks are also becoming more sophisticated. The link between nation-state and organised criminal action has become far less distinctive, resulting in criminal groups gaining access to highly sophisticated malware. As the threats faced by businesses continue to rise, the need to revaluate supply chain security and ensure all employees are briefed on an organisation's cyber-security strategy has never been greater.
Ensuring supply chain security to mitigate risk
Within the surveillance industry, we have seen a significant change in the past decade – a shift away from analogue CCTV to the networked cameras in use today. This has resulted not only in greater levels of business intelligence through analytics and big data, but has increased the safety and security of different environments. Within rail, for example, various analytic technologies can be used to identify persons within “high risk” or restricted areas – assisting in preventing suicides.
The way IoT technology is deployed is key to its security and can leave organisations exposed to vulnerabilities. A worst-case scenario is when physical security systems, deployed to protect assets and information, act as the weakest link – granting an attacker access to other areas of the network. As such, with an increasing number of threats facing businesses and an expanding amount of attack vectors, businesses need to look further afield than their own four walls to ensure cyber-security. Any untested device may be a potential avenue for attack against a network ranging from an employee simply plugging in a USB device, through to untested IoT technology, or connecting a company laptop or tablet to a non-secure network.
Whereas security specialists once dealt with the entire process behind procuring and installing surveillance technology, the task has now become more collaborative – sitting jointly between IT departments and their security counterparts. This is due to an industry shift, with surveillance and security technology now a key feature of the IT network.
The rate of technological advancement, when combined with unclear cyber-security responsibility between internal stakeholders, has left something of an education gap. In real terms, this means that when it comes to supply chain management, due diligence is often not practiced.
Those responsible for the technology simply do not have the breadth of information necessary to make informed decisions and mitigate cyber risks; what is important to IT is not always important to security and vice versa. GDPR provides the perfect motivation to meet these challenges head on.
Confirming security, mitigating liability
GDPR, in essence, is designed to bring businesses up to a minimum standard on damage mitigation. The regulation does not stipulate that a business must be unbreachable, only that the prerequisite planning and research has been undertaken and that compliance has been achieved to minimise the potential of a breach and effectively react should a breach occur.
Whilst GDPR specifically relates to a company that retains and loses Personally Identifiable Information (PII), this responsibility does not necessarily extend to companies in the supply chain where the insecure technology is sourced.
What this means is that while organisations within a supply chain may not be directly liable for a breach under GDPR, it provides a case for rolling the impact of GDPR fines downhill from the organisation, which has purchased the device.
Should an organisation suffer a data breach and subsequently be fined under GDPR, when the cause of the incident is identified, the liability will likely not remain with the original company if due diligence is practiced or can be proven. Should an organisation within the supply chain, claiming their technology is secure, then have their assertions proved otherwise, they will be potentially vulnerable to action from firms using their technology under false impressions.
The UK's National Cyber Security Strategy 2016-2021 refers to the concept of ‘secure by default', “ensuring that the security controls built into the software and hardware… are activated as a default setting by the manufacturer”. This concept is an essential element to any technology utilised today.
The cyber-security element of a modern business is a process, however, and extends far beyond a product-led approach. True security requires collaboration between user and manufacturer – no device, despite being secure by default, will remain so with default passwords enabled, for example.
GDPR is designed to ensure a baseline of security across the EU and countries holding EU-related data. In meeting the compliance challenge, fines can be avoided through comprehensive reporting, data storage methods and access limitation. By implementing due diligence at every step of the supply chain, the burden is further reduced. GDPR compliance is not an issue that will be met by end-users alone. Instead, a collaborative approach where vendors, manufacturers and end-users all take responsibility for cyber-security effectiveness will ultimately minimise the risk of a damaging breach.
Contributed by Steven Kenny, business development manager, architecture and engineering, Axis Communications
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.