Trusted Smart Products and Trust by Design
March 20, 2019
More consumers are becoming increasingly aware of their need for privacy and safety while engaging online. As such, decisions on the products they purchase, whether a vehicle, a gadget or necessities for a connected home are based on trust.
Many of the data breach cases reported across the world are either borne from a lack of security systems employed by organisations and individuals or by hackers. While consumers can do so much in trying to protect their personal data, a lot of the responsibility in ensuring safety and privacy should be borne by the traders that design these products, as well as the organisations that collect consumer data.
Trust by Design
Trust by design is a concept that encourages manufacturers and digital technological companies to put consumers (who ultimately become the victims of data breaches) at the centre of solutions.
The Internet Society in the 2016 Global Internet Report suggested that a ‘user-centric’ approach should be employed when designing consumer products or applications. The report also suggested that transparency needs to increase through data breach notifications and disclosure and that organisations should be made accountable for their breaches.
This approach was later emphasized by Consumers International to ensure that user safety is at the forefront of concept and design of Consumer Internet of Things (CIoT) Products.
The Principles
Consumer spending is fuelled by consumer confidence and trust. Providers of Consumer Internet of Things products and services therefore, must consider these during design concept stage. Following are some principles that providers are urged to employ when designing CIoT products and services. Security Providers should build security by design into IoT devices and services, including in any software associated with such devices.
They should adhere to the Global System for Mobile Communications Association (GSMA) or the Internet of Things Security Foundation (IoTSF) security guidelines. In the event of any security breaches, providers should ensure customers are notified and act expeditiously to mitigate the impact of any security breaches.
1. Privacy: This means ensuring that privacy standards are met during the conception, design and life cycle of their devices. Providers should provide customers with a clear, comprehensive and an easy to understand privacy policy. It should also outline how the consumers’ personal information are collected and processed. In the event of any data breach, providers should notify customers and act quickly to mitigate any such issues.
2. Transparency: Consumers should have access to clear and easy information about CIoT devices and services they have purchased. Such information will include but not limited to, the name of the supplier, the price, a description of the device and any associated service, including any limitations or restrictions. It should be clear who the consumer can contact if they have any problems with the device or the communications service.
3. Supporting vulnerable customers: Particular care should be taken in relation to vulnerable customers. When designing CIoT devices and services, accessibility features need to be incorporated. Devices and services designed for minors need to have additional levels of care in relation to security and privacy features.
4. Customer support and complaint handling: Providers should provide adequate customer support and handle customer complaints in a timely manner and make independent redress mechanisms available to consumers where complaints cannot be resolved directly.
Environment: Providers should aim to reduce the environmental impacts of their CIoT devices and services, empowering their customers to make more sustainable choices.
Creating the culture of awareness in organisations
A breach in an organisations data could possibly lead to an exposure in a consumer’s personal data. It is prudent, therefore, that employees of organisations that record consumer data understand these threats and determine how to recognise fraudulent emails.
Data breaches can take place via emails through a practice known as phishing. Phishing is a form of social engineering in which an email is sent that appears to be legitimate and requests a user to log in to a fake news website as a means to capture their password. By spamming large numbers of users, the hackers can capture information that may lead to a data breach of an organisation associated with the user who was tricked.
There is a need for continuous awareness amongst individuals as well as employees of organisations on how to avoid phishing. It is imperative that organisations or companies working with scores of consumer data apply trusted tools and best practices to prevent phishing and block embedded malware. Consumers’ information safety and privacy is paramount and as such must be protected at all costs.
There are many ways to ensure that employees do not fall prey to phishing attacks and also a multitude of online resources that Consumers can use to stay up to date with ways to avoid phishing scams. One of these resources is Phishing.org, a resource for IT professionals to keep users up to date on the latest phishing threats as well as a way to help better educate users on smarter security decisions when it comes to phishing. Some of the techniques recommended by Phishing include:
1. Keeping Informed about Phishing Techniques
New phishing scams are being developed all the time, therefore staying on top of these phishing techniques is extremely important. Keep your eyes peeled for news of phishing scams and take note of these to share with work colleagues.
2. Be Paranoid
Never automatically assume that all links sent via email are legitimate. Carefully check the emailed URLs and email senders address for typos which could indicate that it is an attempt at phishing
3. Verify a Site’s Security
It’s natural to be a little wary about supplying sensitive financial information online. As long as you are on a secure website, however, you shouldn’t run into any trouble. Before submitting any information, make sure the site’s URL begins with “https” and there should be a closed lock icon near the address bar. Check for the site’s security certificate as well. If you get a message stating a certain website may contain malicious files, do not open the website. Never download files from suspicious emails or websites.
4. Check Your Online Accounts Regularly
If you don’t visit an online account for a while, someone could be having a field day with it. Even if you don’t technically need to, check in with each of your online accounts on a regular basis. Get into the habit of changing your passwords regularly too. To prevent bank phishing and credit card phishing scams, you should personally check your statements regularly. Get monthly statements for your financial accounts and check each and every entry carefully to ensure no fraudulent transactions have been made without your knowledge.
5. Keep Your Browser Up to Date
Security patches are released for popular browsers all the time. They are released in response to the security loopholes that phishers and other hackers inevitably discover and exploit. If you typically ignore messages about updating your browsers, stop. The minute an update is available, download and install it.
6. Use Firewalls
High-quality firewalls act as buffers between you, your computer and outside intruders. You should use two different kinds: a desktop firewall and a network firewall. The first option is a type of software, and the second option is a type of hardware. When used together, they drastically reduce the odds of hackers and phishers infiltrating your computer or your network.
7. Never Give Out Personal Information
As a general rule, you should never share personal or financially sensitive information over the Internet. When in doubt, go visit the main website of the company in question, get their number and give them a call. Most of the phishing emails will direct you to pages where entries for financial or personal information are required. An Internet user should never make confidential entries through the links provided in the emails. Never send an email with sensitive information to anyone. Make it a habit to check the address of the website. A secure website always starts with “https”.
-ENDS-