Cybersecurity and privacy: it takes two to tango!
By: Ivan Vandermeersch
Society is already data driven and we are all digital by default. Within the EU alone, the number of connected devices is estimated to increase from approximately 1.8 million in 2013 to almost 6 billion in 2020.[1] The related data collected already constitutes an enormous quantity. According to World Economic Forum, it is forecasted that the quantity of data will continue to grow by 40% a year over the coming 10 years, reaching approximately 44 000 000 000 000 gigabytes (44 Zettabytes) in 2020. The Internet of Things (IoT) is the driver behind this exponential increase.
In our hyper-connected world, the individual becomes the center, or better said, the interface between a network of internet connected objects and devices. We create data through every interaction with IoT devices. This data contains highly detailed information about the interests, networks, habits and the behavior of you and me as individuals. We will use and are using IoT devices to manage our health, run our home, travel, drive and improve our quality of life in new and innovative ways. Businesses will benefit from more efficient systems to provide better service to their customers.
The marketer sits behind all this data and companies of all sizes and from all sectors of the economy are involved and responsible for making connected devices cyber secure: manufacturers, service providers, and standard-setting bodies.
The General Data Protection Regulation (GDPR) will require businesses and, more specifically, IoT providers to implement new methods and technologies for the protection and security of personally identifiable information. The GDPR provides for two new principles, which will need to be taken into account, when manufacturing products: “Privacy by design” and “Privacy by default”.
- Privacy by design requires that privacy protection be built in when developing new products, services and system, and that it is not simply added afterwards or as an after-thought.
- Privacy by default provides that privacy-protecting options are activated by default. Users then have to actively select less-privacy-friendly settings. For instance, in an application in which private data can be shared with other users, this option must be switched off as a less privacy-protective choice. Users must actively and consciously turn it on.
In parallel, the Network and Information Security (NIS) Directive aim is to achieve a high common level of security of network and information systems across the EU through improved cybersecurity capabilities at a national level as well as increased EU-level cooperation. It also requires “operators of essential services” and “digital service providers” to take appropriate steps to manage security risk and to report security incidents to the national competent authorities.
Industry and government must work collaboratively to drive the use of privacy- and security-by- design practices.
Member States will have until May 9, 2018 to implement the NIS Directive whilst the GDPR becomes applicable on 25th of May 2018.
A policy climate that focuses on managing risk, not blocking change is needed. As the greatest vulnerability of IoT is human error or lacking practices of cyber hygiene, (clicking on phishing links etc.), there is a need to increase awareness among consumers about cybersecurity. In parallel small and medium sized enterprises should be encouraged to implement best practices introduced by their more sophisticated peers in government and industry.
Marketers, developers, manufacturers need to “connect” in this battle to further coherent solutions to manage the risks inherent to IoT devices.
Technology is not privacy-neutral anymore.
[1] IDC and TXT Solutions (2014), SMART 2013/0037 Cloud and IoT combination, study for the European Commission.