Headlines continue to abound about data breaches which threaten not only our institutions and economies but also consumer trust in the digital society. They also put new business models and product offerings at risk, suggesting that the market’s dynamics fail to work as they should when it comes to security.
What we need is greater awareness of the relevance of security in connected devices at the consumer level. But this will hardly emerge overnight. If we really think about it, we as an industry have not even begun to educate consumers about the importance of security or identifying a product’s security level. Generally, security is not a marketed feature today.
Yet the example of the energy transition proves that such a change can succeed. Energy efficiency was not on the minds of consumers years ago, and few knew what to do with “kilowatt hours” until the EU energy label for electrical appliances became established, making it easy to grasp the concept. Today, no one would buy a fridge with a red energy label denoting high power consumption.
So, what can we do to start a similar development with regard to data security? It’s the task of manufacturers and policymakers alike to strengthen people’s trust in secured products while creating greater transparency for consumers. While this will not eliminate all cyber risks, it will improve consumer perception and make security a visible and easily understandable product and quality feature – and it will make sure consumers ask for it.
As cybersecurity is of national if not geopolitical importance, policymakers have a special responsibility to create this awareness among consumers while at the same time supporting the development and marketing of secured products and systems. To achieve this, a security label is just as sensible an idea as the EU energy label for electrical appliances.
The challenge is that it must be easy to grasp while indicating the security level of the device, which demands a transparent, well-defined and meaningful certification process.
The EU Commission published a Cybersecurity Act (CSA) for IoT devices, processes and services in September 2017. The proposal denotes three levels of staged security for connected products and fosters new EU security certification schemes, at least for level “high” and “substantial”. It is expected, that the trilogue on CSA between EU Commission, Council and Parliament will find a consensus by December 2018 and the new regulation would then be adopted in the EU Member States.
The ‘Trust in the Internet’ initiative by French President Macron introduced at Paris Digital Week early November also aims at developing common principles for securing the cyberspace and to enable infrastructures and organizations to improve their cyber protection.
How can we achieve this as an industry? Let me give you some hints.