Security of networked devices gains importance under GDPR

With cyberattacks against networked devices, including IP cams and NVRs, becoming more rampant, the issue of security of security devices has become pivotal. It will gain further importance under the EU General Data Protection Regulation (GDPR) set to take effect next year, and collaboration among companies within the supply chain to ensure security will be critical.
 
That’s the point raised in a recent blog post by Axis Communications titled “How collaboration will ensure GDPR compliance within supply chains.”
 
According to the GDPR website, the EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
 
“The General Data Protection Regulation (GDPR) is a concern for business leaders across the globe. Awareness of the incoming regulation has been improving, with 67 percent of CIOs advising that their business have a clear understanding of the legislation. This will, of course, be crucial going forward, with fines of up to 4 percent of annual turnover or 20 million euros following a data breach, whichever is higher, potentially affecting businesses’ chances of success,” the post said.
 
According to the post, a significant but perhaps not commonly publicized risk is the security of networked devices, with various malware variants utilizing IoT technology such as IP cameras as staging grounds for wider attacks.
 
“The issues often arise from the way IoT technology is deployed. A worst-case scenario is when an IP-enabled physical security system, installed to protect assets and information, is in fact a network’s weakest link – granting an attacker access to unauthorized areas of the network,” Axis said. “As such, with an increasing number of threats facing businesses and an expanding amount of attack vectors, firms need to look further afield than their own four walls to ensure cybersecurity.”
 
According to Axis, while GDPR does not stipulate that a business must be unbreachable, it requires that prerequisite planning and research has been undertaken, that compliance has been achieved to minimize the potential of a breach, and that the firm is geared to effectively react should a breach occur.
 
“This means that organizations within a supply chain may not be directly liable for a breach under GDPR. Instead, responsibility would remain with the company holding personally identifiable information. However, if due diligence is practiced or proven, should an organization suffer a data breach and subsequently be fined under GDPR, the liability may be cascaded down to an organization within the supply chain claiming their technology is secure, when it is in fact not,” Axis said.
 
That is why companies must work with their supply chains to ensure security and best-practice across the board, Axis said. “By implementing due diligence in every step of the supply chain, the burden is further reduced. GDPR compliance is not an issue that will be met by end-users alone. Instead, a collaborative approach where vendors, manufacturers and end-users all take responsibility for cybersecurity effectiveness will ultimately minimize the risk of a damaging breach,” it said.