There’s a growing concern about how to establish secure information exchanges. Companies must think about how they take their digital responsibilities. Responsibility means working with information management in a proactive and sustainable way.
We believe that secure information flows are necessary for you to be respected as an attractive employer and leading-edge business. Responsible information management gives you the ability to achieve viable and sustainable businesses that open up for innovation and new revenue opportunities.
Information management as part of CSR
Companies need to change the way they view sustainability, and weave information management into the more traditional parameters of CSR (Corporate Social Responsibility) efforts such as environment, working conditions, effects on society etc.
Information today is a giant building block for almost every part of society. And some of this information should and must be protected.
Information security should become a topic discussed and prioritised more often in boardrooms and management. This is vital as taking digital responsibility can be very important for effects on society. Protecting information and using/building secure systems should be a clear part of CSR, or CDR (Corporate Digital Responsibility), that every company should follow as this becomes more and more important, not only for the companies themselves, but for the security of our society.
Future proof solutions help you take your digital responsibility
Future proof solutions for information security – that is what you need to be able to take your full digital responsibility. This means you have to ensure that your supplier has a working method that means that they will continue to be digitally responsible. Do they provide security updates throughout the product life cycle? Is their product/solution future proof? These are important questions you need to ask your supplier of information security solutions.
Digital Responsibility – more than technology
With innovative and future-proof technology solutions, you have the right tools to take your digital responsibility. However, information security entails more than technology.
People and processes are equally important to succeed. Sustainable protection requires systematic and continuous work based on assets, threats and risks.
The first step is to understand which information that is critical to business. A risk and security analysis help you identify the problems as well as specify and prioritise necessary measures. However willing you are to protect your information; it is not practical or financially justified to protect all information in the same way and the next step is to make some decisions based on the analysis.
So what does Digital Responsibility entail?
Digital Responsibility should be seen as an absolute need to ‘do good’ with your digital technology and your digitalisation efforts. This requires a balanced and conscious priorisation between three partly conflicting cornerstones:
- Digital Functionality
- Digital Privacy
- Digital Sustainability
Technology advancement is inevitable. The digitalisation currently ongoing is necessary. As a society we need to extend our possibilities of measuring, collecting and processing information to be able to in a more optimised way:
- Use the limited resources we have
- Plan to minimise scrap, and...
- Find new opportunities that can either directly create values or indirectly through increased entrepreneurship and innovation.
Within functionality, you find possibilities for innovation and opportunities for new and extended business as well as the more mundane functions that ‘have always been there’. The responsible approach is not to avoid development and digitalisation or progress beyond. The responsible approach is to balance Functionality with the other two cornerstones.
The second cornerstone is the responsibility for Digital Privacy. The right to privacy is part of the universal declaration of human rights. In Europe, the awareness of issues related to privacy have made a recent jump due to the EU GDPR regulation that went into force in May 2018. Regardless of regulation, Digital Privacy must be part of any technology design ahead. Not only from a short-term point of view but also with a concern for possible long-term effects.
The traditional information security objectives: confidentiality, integrity and availability is now complemented by three new objectives: unlinkability, transparency and influence. These goals are contradictory pairs; one can not, for example have maximum availability and maximum confidentiality at the same time. Therefore, it becomes a necessity to understand the implications of different technical design decisions so that the solutions being built are balanced between the different objectives. The focus is about to shift from the traditional objectives against the new.
The third cornerstone is Digital Sustainability. The digital functionality we build and the digital capabilities our newly technology enables should aim to follow a digital version of the Hippocratic Oath: ‘abstain from doing harm’. Our society is moving very slowly towards a kind of hypersensitivity to disruptions in our digital technology. This is apparent in technology surrounding critical infrastructure in which a lack of Digital Responsibility can have dire consequences. Attacks or even poor implementation in the IT and OT systems surrounding our core infrastructure can easily put great values or even lives at risk. There are other needs for digital sustainability. Burying waste or dumping it into the ocean was acceptable in the past because we ‘didn’t know better’. Future effects on our society due to ‘digital spill’ in terms of breaches and leaks or the huge ‘social memory’ built by social media are unknown. All of the three cornerstones above carry responsibility. At the basic level, there is a need for Digital Accountability. The functionality we include in our technology, the choices we make in our designs and the data we choose to collect will affect our common future. Worth noticing is that (digital) security is not a cornerstone in itself. IT and information security are the tools by which we will accomplish many of the responsible actions necessary.
At every decision, Digital Responsibility should force a strategic view so that a balance is established between the Digital Functionality put in place and its short and long-term effect on Digital Privacy and Digital Sustainability.
The responsibility extends to more than the current year. You need to assume responsibility for potential future uses and misuses of your collected data and your implemented functionality. If your actions today could be used in a hostile way by tomorrow’s actors, you should use a principle of caution today. If your technology can be misused tomorrow, you are responsible today.
Laws and regulations
A part of taking digital responsibility is to oblige laws and regulations that are aimed at protecting sensitive information. Digitalisation not only creates business opportunities but opens more attack vectors to systems. The number of cyberattacks has increased sharply over the recent years, not only from criminals and script kiddies but also from state-funded forces with great endurance and vast resources. Raising information security within critical infrastructure raises society’s readiness for external disturbances.
The NIS Directive
The NIS Directive tightens the requirements for information security in terms of integrity and availability. It is important to take people, processes and technology into account to ensure information security in the affected organisations. Better understanding in general of information and system risk classification together with impact contingency and action plans is necessary to improve resistance to attacks. Incidents are to be reported as part of increasing knowledge and raising preparedness. Basically, focus lies on the network and information systems that are used.
By legislating meaningful rights for the individual, and the corresponding obligations on the organisations who manage the information, the power of the information is transferred to the individual. GDPR (General Data Protection Regulation) brings revolutionary changes in IT systems. It also involves major efforts to adapt all the systems and procedures to the new requirements. This opens up great opportunities for those who deliver services and products in the field of information security. It is no exaggeration to compare the scope of work with the Y2K adaptation.
How do you take your digital responsibility?
Time to start working. If you are a C-level executive, just start balancing your work of building new functionality, increasing operational efficiency and creating new business opportunities with the decisive act of Digital Responsibility. If you are not currently at C-level in your company, you can start discussing related topics around Digital Responsibility to move the subject towards the bigger question of responsibility and accountability rather than tackling every issue on its own. If you want to start working proactively with digital responsibility, for example in the digital privacy area, here are five action items:
- Involve. Start involving your management and board in discussions and reflections on your current Digital Responsibility position.
- Take stock. Identify the information you store, transport and process which thereby needs protection
- Inform. Be clear in your communication to your customers whose data you manage on how you will protect their information.
- Think privacy by design. Whoever designs without understanding these impacts will need to be correct in hindsight - something that will always be more expensive than doing it right from the start.
- Consider laws and regulations that demand that you take responsibility.
Do you want to read more about Digital Responsibility?
To read more about the different parts of Digital responsibility and where to start, download our White Paper #05 Digital Responsibility - the only viable way forward.
If you need some guidance regarding digital responsibly you are welcome to contact us!