Steven Kenny, Business Development Manager, Architecture and Engineering at Axis Communications, discusses why cybersecurity across the entire supply chain is key for organisations in ensuring GDPR challenges are met
The General Data Protection Regulation (GDPR) is a huge consideration for businesses across the globe. The key tenets of the regulation, including fines of 4 per cent of annual group turnover or €20m, whichever is higher, should now be well known by all industries. Currently, however, only 43 per cent of organisations are said to be actively preparing for GDPR[1]. This could result not only in increased risk displacement, exposing poorly secured businesses to threats as their counterparts invest in technology to ensure security and compliance, but also brings with it the potential for significant fines.
A particular risk is the security of networked devices, with various threats utilising IoT technology as a staging ground for wider attacks[2]. The cyber landscape is changing on an almost daily basis. Should an organisation ensure the security of its network on a Monday, by the Friday, the situation may have changed drastically with the addition of unsecured technology – either from employees or direct from the manufacturer.
As demonstrated by the recent global WannaCrypt ransomware infection, attacks are also becoming more sophisticated. The link between nation-state and organised criminal action has become far less distinctive, resulting in criminal groups gaining access to highly sophisticated malware. As the threats faced by businesses continue to rise, the need to revaluate supply chain security and ensure all employees are briefed on an organisation’s cybersecurity strategy has never been greater.
Ensuring supply chain security to mitigate risk
Within the surveillance industry, we have seen a significant change in last decade – a shift away from analogue CCTV to the networked cameras in use today. This has resulted not only in greater levels of business intelligence through analytics and big data, but has increased the safety and security of different environments. Within rail, for example, various analytic technologies can be used to identify persons within ‘high risk’ or restricted areas – assisting in preventing suicides.
Beyond the security of the device itself, the way IoT technology is deployed is key to its security and can leave organisations exposed to vulnerabilities. A worst-case scenario is when physical security systems, deployed to protect assets and information, act as the weakest link – granting an attacker access to other areas of the network. As such, with an increasing number of threats facing businesses and an expanding amount of attack vectors, businesses need to look further afield than their own four walls to ensure cybersecurity. Any untested device may be a potential avenue for attack against a network ranging from an employee simply plugging in a USB device, through to untested IoT technology.
Whereas security specialists once dealt with the entire process behind procuring and installing surveillance technology, the task has now become more collaborative – sitting jointly between IT departments and their security counterparts. This is due to an industry shift, with surveillance and security technology now a key feature of the IT network. The rate of technological advancement, when combined with unclear cybersecurity responsibility between internal stakeholders, has left something of an education gap. In real terms, this means that when it comes to supply chain management, due diligence is often not practiced – simply because those responsible for the technology do not have the breadth of information necessary to make informed decisions and mitigate cyber risks. GDPR provides the perfect motivation to meet these challenges head on.
Confirming security; mitigating liability
GDPR, in essence, is designed to bring businesses up to a minimum standard on damage mitigation. The regulation does not stipulate that a business must be unbreachable; only that the prerequisite planning and research has been undertaken; that compliance has been achieved to minimise the potential of a breach, and effectively react should a breach occur. Whilst GDPR specifically relates to a company that retains and loses Personally Identifiable Information (PII), this responsibility does not necessarily extend to companies in the supply chain where the unsecure technology is sourced.
What this means is that while organisations within a supply chain may not be directly liable for a breach under GDPR, it provides a case for rolling the impact of GDPR fines downhill from the organisation which has purchased the device. Should an organisation suffer a data breach and subsequently be fined under GDPR, when the cause of the incident is identified, the liability will likely not remain with the original company if due diligence is practiced or can be proven. Should an organisation within the supply chain, claiming their technology is secure, then have their assertions proved otherwise, they will be potentially vulnerable to action from firms using their technology under false impressions.
The UK’s ‘National Cyber Security Strategy 2016-2021’[3] refers to the concept of ‘secure by default’, “ensuring that the security controls built into the software and hardware…are activated as a default setting by the manufacturer.” This concept is an essential element to any technology utilised today. The cybersecurity element of a modern business is a process, however, and extends far beyond a product-led approach. True security requires collaboration between user and manufacturer – no device, despite being secure by default, will remain so with default passwords enabled, for example.
GDPR is designed to ensure a baseline of security across the EU and countries holding EU-related data. In meeting the compliance challenge, fines can be avoided through comprehensive reporting, data storage methods and access limitation. By implementing due diligence at every step of the supply chain, the burden is further reduced. GDPR compliance is not an issue that will be met by end-users alone. Instead, a collaborative approach where vendors, manufacturers and end-users all take responsibility for cybersecurity effectiveness will ultimately minimise the risk of a damaging breach.
To find out more on how to implement a secure approach to IoT technology integration, Steven Kenny explores the latest strategies from Axis. Read the e-book here. (Link: http://www.axis-communications.com/cybersecurity-neur)
About Axis Communications®
Axis offers intelligent security solutions that enable a smarter, safer world. As the global market leader in network video, Axis is driving the industry by continually launching innovative network products based on an open platform – delivering high value to customers through a global partner network. Axis has long-term relationships with partners and provides them with knowledge and ground-breaking network products in existing and new markets.
Axis has more than 2,700 dedicated employees in more than 50 countries around the world, supported by a global network of over 90,000 partners. Founded in 1984, Axis is a Sweden-based company listed on NASDAQ Stockholm under the ticker AXIS. For more information about Axis, please visit our website www.axis.com
Follow us on Twitter: @Axis_NEur
