On the second anniversary of GDPR, Steven Kenny, Industry Liaison – Architecture & Engineering at Axis Communications, reflects on the impact that the regulation has had on the cybersecurity of IoT devices in relation to physical security.
For businesses everywhere, the enforcement of the General Data Protection Regulation (GDPR) in May 2018 meant that greater responsibility needed to be taken to safeguard data. The view of the National Cyber Security Centre (NCSC), that cybersecurity and GDPR compliance are intrinsically linked, became all the more apparent when we saw high profile cases hit the headlines such as those against BA and Marriott. With heavy fines imposed by the Information Commissioner’s Office (ICO) as a result of breaches of software and systems, such cases have been instrumental in illustrating the seriousness of cyber attacks to senior decision makers.
As we approach the two-year anniversary of the GDPR, it has been well and truly bedded in, with businesses acknowledging that the ICO takes a stern view of companies that cannot demonstrate sufficient control and protection over the data they store. In board-level business meetings, IT decision makers have had an increased presence as the direct involvement of IT is instrumental in providing the appropriate guidance around the design and security of systems to make them cyber secure. A drive towards the development of more secure technologies has also led to an increased focus to ensure the integrity of stakeholders, end clients, and everyone involved in the supply chain.
Increased awareness: data and the need to protect it
The GDPR brought with it an increased awareness around the data that companies hold on individuals. The number of subject access requests being issued to operators from members of the public has increased, particularly as a result of this service becoming free of charge. Over the last two years there has also been a steady increase in the number of requests for data protection impact assessments, required during the planning stages of newly proposed projects. In order for applications to be accepted, planners want to be able to fully understand the impact of their systems.
GDPR and the use of public data has resulted in more public awareness around technologies such as video surveillance. We have seen reports of businesses being fined for inadequate signage around the requirement to provide consent for the processing of personal information. In addition, police forces in both England and Wales have faced heavy criticism over the deployment of facial recognition systems, and companies have been issued with fines for failing to register such systems with the ICO.
The importance of cyber secure systems
In addition to fines for lack of compliance, businesses that don’t pay full attention to the security of their systems face risks from socially engineered attacks, ransomware and other targeted, advanced assaults. Compromised IoT devices will mean IT systems are vulnerable, acting as a backdoor through which an attacker can gain access to a network. Self-certification schemes such as Secure by design, secure by default from the Surveillance Camera Commissioner, have been instrumental in raising the bar regarding the production of technologies that are built from the ground up with cybersecurity as a key factor, rather than added later as an afterthought. Such developments are, and will continue to be, instrumental in preventing the sorts of large-scale incidents that have hit the national press.
Within the physical security industry, we have witnessed an increased awareness across the channel about the need for GDPR compliance. However, there is still a long way to go. While we’re increasingly seeing greater awareness of the need to meet and comply with cybersecurity regulations and the GDPR, there are still those that are falling behind. Businesses need to be keeping pace with the changing landscape because cyber criminals are always looking for the path of least resistance. Taking control of the security of our infrastructure is something we should all continue to be focussed on beyond the second anniversary of GDPR.