Security by Design: How Standards Help Business Combat Today’s Cyber Threats
Digital transformation is a process that’s driven from the boardroom. And as organisations digitise all their operations, C-suite executives are impelled to join a conversation that was until recently the preserve of the Chief Information Officer and ICT teams. It’s quite an understatement to note that the cybersecurity landscape has changed in the last couple of years. Several strands of new legislation are forcing corporate boards to view the cybersecurity and resilience of their operations through a sharper lens. Implemented in May 2018, the General Data Protection Regulation (GDPR) has placed the legal onus on organisations to implement processes that protect the personal data of all European customers, regardless of their geographical location and citizenship.
We’ve seen a chastening illustration of this legislation in July this year, when British Airways was handed a record-breaking fine of around €200 million by the UK Information Commissioner’s Office. Through modification of British Airways website code, hackers harvested details of half a million people, including names and addresses, payment card and flight booking details. The watchdog determined the breach to be a clear consequence of BA having insufficient measures in place to safeguard this data.
This is a wake-up call for senior executives as to size of fines UK and other European regulators will impose for any future breaches. As Information Commissioner Elizabeth Denham noted: “when an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it”. Amounting to around 1.5% of BA’s revenues, the UK fine dwarfs the half million pound (€550,000) penalty handed to Facebook for last year’s Cambridge Analytica scandal that occurred before GDPR took effect. Had it happened after, the cost to Facebook could well have been far higher. And if that wasn’t enough, Facebook has since faced a $5bn fine in the US, plus further potential penalties in other countries.
GDPR has several parallels with the California Consumer Privacy Act, passed into law in June 2018 and taking effect from 2020. While other US states have legislation in place to safeguard customers’ private data, the far-reaching CCPA mandates businesses to disclose transparently what information they are collecting from State inhabitants, how and why they are collecting it, and who they may be sharing it with.
There’s plenty more to focus C-Suite minds. Taking force in June 2019, the EU Cybersecurity Act (CSA) requires a common certification framework that companies doing business in the EU must comply with before their products and services are allowed onto the market. This aims to ensure that all products sold into Europe have strong cybersecurity and privacy that’s maintained over the expected lifetime of the product.
While the exact schemes are still likely to be under development in EU standards bodies for the next few years, the European Network and Information Security Agency (ENISA) has been given a clear remit by the EC to ensure the CSA ensures products sold in the EU are cyber secure. An early illustration of this activity is ETSI’s own standard on Cyber Security for Consumer Internet of Things. Meanwhile the UK National Cyber Security Centre (NCSC)’s Secure by Defaultprogramme is an example of the design methodology certification which may be considered the CSA.
In parallel with this, the Radio Equipment Directive (RED) – coming into force across all EU member states – puts stringent restrictions on the sale of devices that incorporate some kind of radio transmitter/receiver function. While the RED is broader in its scope than the CSA, it imposes cybersecurity and privacy requirements on all components (software and hardware) that contain a radio transmitter. While discussions on RED compliance are at an early stage, it’s clear that European standards are the route via which the EC will seek to address RED compliance.
On the face of it, this wave of legislation seems like a draconian and expensive additional burden for businesses to bear. But it’s there for a very good reason, and ultimately it may well benefit corporate bottom lines. Most of us have at least a basic grasp of the importance of IT security at home, whether it’s keeping antivirus software up to date or avoiding easy-to-guess passwords like ‘12345678’. However, many consumers barely understand the risks to their personal data created by the explosion of connected devices.
You might not think that a fridge, central heating controller, baby monitor or smart watch would attract interest from bad actors. But while they’re connected to the Internet, the lack of basic security that’s built into these devices is often frightening. Poor security in one device, especially if it has audio or video recording capabilities, can rapidly lead to a wider compromise of more devices in a smart home. Default weak passwords in many current IoT devices aid attackers, compared to PCs where such attacks were largely eliminated twenty years ago. An attack that starts with a compromise of a relatively low functionality device can potentially result in the eventual loss of personal data (such as payment details) from other more feature-rich devices or services.
Many devices such as TVs, fridges and cars into which IoT capabilities are being designed have much longer lifecycles than the typical three-year consumer device renewal cycle. Poor cybersecurity design must not result in a shortening expected life of the wider product into which such IoT / IT functionality is integrated.
With the number of connected devices forecast to exceed 20 billion by 2025, the scale of this threat to consumers’ security can scarcely be underestimated. Nor can the financial and reputational risks facing every organization that offers ICT products or services to market. And as these products and services get more complex, adding cybersecurity as a 2.0 retrofit gets much harder. Instead, corporate executives must pivot to a mindset that embeds security by design into every element of their products and services. In this new landscape, cyber resilience is a fundamental part of your bill of materials, rather than an optional bolt-on you can charge customers for.
It’s the provider of a product or service who is ultimately responsible for its defence against vulnerabilities. And if the design of your product relies on interactions with outsourced components or entities – like an embedded module from a third party, or the exchange of data with a cloud-based platform – the buck still stops with you when customers’ personal data is compromised in any way.
The message is clear. If organizations don’t demonstrate that they are taking cybersecurity seriously, the penalties will be harsh. Much like the vehicle emissions scandal in 2015, executives of companies in breach of regulations will themselves be personally accountable, facing the threat of financial liability and even criminal negligence charges. Within Europe product/service cybersecurity and privacy have moved from a vague expectation for all EU citizens to a legal right. To support compliance with this new regulatory regime, ETSI’s work actively guides companies to follow best cybersecurity practice. Developed by our members, our technical specifications allow organizations to ensure their products and services are fully compliant with GDPR, CSA and RED in terms of their cyber resilience.
Earlier this year, ETSI released a standard that sets a baseline for the security of Internet-connected consumer products. Many of its thirteen provisions – including no universal default passwords – are hardly rocket science, yet many current devices fail to meet them. As discussed, the CSA will make compliance mandatory, with failure leaving manufacturers open to hefty GDPR fines if the resulting weakness results in loss of personal data.
Adherence to our standards gives manufacturers and service providers a powerful defence in the event of a security breach actually taking place. What’s more, these standards give industry the opportunity to communicate effectively with customers and increase the perceived value of their products. For example we may see the rise of labelling schemes to certify the security of devices and systems for consumer and B2B markets alike, much like the colour-coded energy rating displayed on consumer appliances.
“The potential benefits of the IoT will be achieved only if products and services are designed with trust, privacy and security built in, so consumers feel they are secure and safe to use”says Stephen Russell, Secretary-General of ANEC, the organization representing consumers in standardization that is also an ETSI member.
Cybersecurity is an inescapable part of today’s corporate agenda. And as more companies are realising, taking an active stance on the development of security standards – through membership of organizations like ETSI – can be the most effective way to ensure that boards are actively engaged with a conversation that nobody can afford to ignore.
Learn more about the work of ETSI’s Cyber Security committee at: etsi.org/technologies/cyber-security