Just because a product or company calls itself smart doesnt mean it actually is.
I recently received a promotional email from a company selling a smart firewall. It was built, the marketing said, to protect connected devices. Out of curiosity, I visited the website where, not too surprisingly, I didnt find any type of security or privacy notice. Unable to temper my curiosity, I contacted the company to request information about the security and privacy of its device. No response. After two more attempts, I gave up.
But, I was left wondering: Did they not have any information to provide? Or worse, were they trying to hide something? Such impressions do not engender trust.
Would anyone consider securing a tablet, TV, smartphone, information-of-things (IoT) door locks and other connected devices as the email suggests with a technology that cant be trusted to keep safe the data it collects?
Sadly, I think many would. In fact, far too many people likely wouldnt even think twice about it. And far too many companies get away with not having adequate privacy policies in place.
Unfortunately, privacy policies are often nonexistent or treated as nothing more than a formality. In these circumstances, the policies are often inadequate, poorly maintained and / or unenforced.
In addition to failing to prepare and communicate privacy policies, an alarmingly large number of businesses have not performed privacy impact assessments (PIAs). Of those that have, many of them are more than two years old. That length of time may as well be decades, given the rate at which technology is changing and new vulnerabilities are being introduced.
Insist on privacy policies
Businesses should only partner with entities that can demonstrate they take data security and privacy seriously.
There are a number of resources you can use to evaluate the entities you do business with. Here are a few:
Assessments. A privacy impact assessment identifies risks to personal data and potential harms to the associated individuals. It is becoming an expected activity within all information security and privacy programs, as well as a legal requirement within a growing number of U.S. and international regulations.
Surveys. A vendor security and privacy assessment survey, particularly a concise one that gets to the point without redundancy, is a great way to quickly get an overall sense of an organizations approach to privacy. Watch for answers to questions that do not match the organizations actual practices. For example, if the company indicates it has a policy to use passwords that are a minimum of eight alpha numeric characters in length, but you find its passwords are actually five alpha characters, that is a red flag. It shows the organization does not comply with its own security and privacy policies. Makes a person wonder: Are they not complying with all other security policies? That would put the data youve entrusted to them at great risk.
Contracts. When partnering with an organization, include within your contracts a security and privacy clause that includes, at a minimum, a right to audit, to request completed risk evaluations on a quarterly or bi-annual basis, to be notified and approve of subcontractors with access to sensitive data and to review documented information security and privacy policies.
Attestations. Obtain from executives monthly or quarterly attestations that security and privacy programs are maintained and enforced. This will establish personal accountability and responsibility for the executives to ensure appropriate safeguards are in place. It is a powerful motivator to make sure these actions are performed with an busing leader can be personally liable.
Affirmations. Third-party affirmations, such as SSAE 18 SOC 2 or ISMS certifications, are a good testament to the companys privacy and security practices. Keeping track of these is made easier with cloud-based tools like SIMBUS Tracker, which provides businesses with access to documentation of vendor certifications and affirmations, along with assessments and key security and privacy program validation.
The next time you consider partnering with an organization or even responding to an ad for a new smart device be sure you understand the companys approach to privacy and its commitment to keeping your data (and that of your customers) safe.