GDPR
SureCloud, the provider of cloud-based, Integrated Risk Management solutions, has been placed on Gartner’s Magic Quadrant for IT Vendor Risk Management Tools for the first time after being recognised on Gartner’s Magic Quadrant for Integrated Risk Management Solutions back in July 2019. The quadrant names 16 key solution vendors identified by Gartner as offering vendor risk management (VRM) solutions. VRM solutions enable organisations to accurately ascertain the security and compli...
Panasonic Security Systems, a business unit of the newly formed Panasonic i-PRO Sensing Solutions Co., Ltd., is showcasing its impressive solutions capabilities at ISC East booth #435. By combining its superior imaging technologies with new AI-driven software and analytics solutions, Panasonic i-PRO Security Systems offers comprehensive, customisable solutions to meet the most diverse range of users’ specific needs. Core solutions on display include the company’s fully integrated Vi...
New research commissioned by Check Point shows that GDPR is delivering a strong positive effect overall for European businesses – but with some significant variations between countries in terms of adopting GDPR measures. Check Point has also developed a new free online tool called GDPRate to guide businesses through the essential components of an effective GDPR compliance strategy. The study of 1,000 CTOs, CIOs, IT managers and security managers in France, Germany, Italy, Spain and the UK...
Securing New Ground, the security industry’s annual executive conference this week in New York, offered food for thought about current and future trends in the security marketplace. Highlights from SNG 2019 included keynote remarks from security leaders at SAP, Johnson Controls and the Consumer Technology Association, discussions on how CSOs mitigate security risks, topic-focused thought leadership roundtables and a lively networking reception. Top trends observed at the event include cyb...
A new cybersecurity service brings professional 24-hour monitoring within reach of SMEs for the very first time. bluedog Security Monitoring, which has been launched by Freeparking.com founder Paul Lomax and cybersecurity expert Tim Thurlings, offers smaller firms the type of managed detection and response service previously only available to large corporates. Highly trained cybersecurity team The launch of bluedog comes as SMEs face increased pressure from customers, regulators and investors...
A survey of UK GDPR decision-makers conducted on behalf of Egress, the provider of people-centric data security solutions, reveals that 52% of businesses are not fully compliant with the regulation, more than a year after its implementation. The survey also found that 37% of respondents had reported an incident to the ICO in the past 12 months, with 17% having done so more than once. Interestingly, the results showed that over half (53%) of mid-size companies had reported data breaches to the I...
News
Crossword Cybersecurity plc has announced the availability of Rizikon Assurance 2.0, an online solution to the problem of third-party risk. The new version allows organisations to visualise all risks for each third-party through fully customisable 360-degree supplier scorecards. The new Third-party Assurance Framework Dashboard – an industry first – gives Supplier Management teams, Chief Risk Officers and senior executives a complete understanding of third-party risks across their supply chain, helping identify problem areas and prioritise remedial action. Every day there is a new report of a third-party (often a supplier) causing financial, reputational or regulatory harm to a company – this could be a data breach, an issue with child labour, a missed delivery date, or a safety problem. Rizikon Assurance helps companies address the pressure from Regulators, Auditors, Compliance professionals and customers to improve third-party assurance & risk management. It supports the Rizikon Supplier Assurance Framework, an optional, technology independent, methodology for organising, managing and measuring third-party risks. Controlling third-party risk with assessments Rizikon Assurance 2.0 is now fully integrated with data sources from Companies House and credit ratings via CreditsafeRizikon Assurance helps organisations take control of third-party risk with secure online assessments in their own branded portal, automated assessment scoring and workflows. Both standard and customised assessments are securely sent to third parties; once submitted online they are automatically scored, and can be manually rescored by ‘Assessors’, who can flag answers and return them for more detail or improved responses. Procurement and Supplier managers and executives can then instantly use data to understand the risks associated with that supplier, a specific risk area, or across the whole business. Rizikon Assurance 2.0 is now fully integrated with data sources from Companies House and credit ratings via Creditsafe. This means that Suppliers can be verified against registered information, and limits financial exposure by giving finance and procurement teams instant access to the financial risk data for all suppliers in the Creditsafe database of over 320 million companies. Credit risk can now be viewed alongside all other areas of Supplier risk (Cyber, GDPR, Continuity, etc.) on a single scorecard. 360-degree view of third-party risk Scorecards give an at-a-glance 360-degree view of third-party risk in a context defined by the customerNew Rizikon Assurance Scorecards allow customers to see all risks for each third-party with combined risk information from the Assessments they have completed on multiple topics, as well as data from Companies House and credit-scoring from Creditsafe. Scorecards give an at-a-glance 360-degree view of third-party risk in a context defined by the customer, as each scorecard segment and weighted risk calculation is customisable. The industry-first Assurance Framework Dashboard gives executives and risk professionals a top-level view of all risks across all third parties, organised by ‘Impact levels’. It allows them to quickly focus on high ‘criticality’ third parties needing the most attention and drill-down into those risks. The dashboard also highlights where assurance information gaps exist, which may leave a company exposed. SaaS platform with two-factor authentication Rizikon Assurance comes with a growing library of standard assessments that organisations can use to support third-party assurance covering areas including Cyber Security, Modern Slavery, Anti Bribery & Corruption, GDPR and Minimum Wage legislation. These can be combined with customised assessments based on a customer’s own tried and tested question sets. Security features include two-factor authentication and 256-bit end-to-end encryptionDelivered as a SaaS platform, the installation and hosting, maintenance, support and security of Rizikon Assurance is taken care of by the Crossword Cybersecurity team, reducing both risk and total cost of ownership. Security features include two-factor authentication and 256-bit end-to-end encryption. All data is hosted in the UK across multiple data centres. Third-party assurance and risk management Jake Holloway, Director responsible for Rizikon Assurance, commented: “Despite third-party risks being one of the top enterprise risks for any large company or organisation, third-party risk assurance is often under resourced and simply not visible at board level in the same way as other areas, such as global trade policy or cyber security. “The Rizikon Supplier Assurance Framework and Rizikon Assurance 2.0 give companies a methodology and software platform that improves third-party assurance and risk management through efficiency, automation and better visibility of risk areas and individual suppliers. Finally, boardrooms can answer the question ‘How much third-party risk do we have and exactly where is it?’”
Berlin, Frankfurt, Munich, Birmingham and Paris are the stops of this year's Geutebrück Roadshow, which takes place in October and November. The one-day events will examine topics such as predictive maintenance, face recognition and cloud, as well as the added value of video security in these environments. Professionals from the logistics, automobile, financial and security-related industries will share insights on how these themes interact with video security and how the resulting challenges can be mastered. Video-security expert The roadshow can be visited in the following cities: October 22 in Berlin, October 24 in Frankfurt, November 5 in Munich, November 12 in Birmingham, Great Britain (English only) and November 14 in Paris, France (Focus on AI, French only). Experts and people responsible in the fields of security, IT, process optimisation and supply chain can register online. Geutebrück is an international video-security expert. The high-performance software and hardware can be versatilely used to guarantee security, maintain transparency and optimise processes - always in accordance with the stringent rules of the European Directive on the Protection of Personal Data (DS-GVO).
Milestone XProtect Corporate 2019 R2 is the first major video management software product to obtain a complete GDPR-ready certification from EuroPriSe. XProtect Corporate 2019 R2 is the first major video management software product to obtain the highly sought-after EuroPriSe (European Privacy Seal) GDPR-ready certification. With the GDPR-ready certification from the independent and recognised institute EuroPriSe, end-users can be confident that they have the right foundation to build a GDPR compliant video surveillance installation. Video management installations GDPR is on par with, or in many cases tougher than these domestic regulations" The certification covers all core capabilities of Milestone XProtect Corporate, building on the native XProtect cyber security features. To help system integrators and end-users design, implement, and operate GDPR-compliant video management installations, Milestone Systems provides a holistic set of tools, including an extensive GDPR Privacy Guide with ready-to-use templates, as well as privacy awareness training for end-users. “While GDPR is an EU-centric regulation, data privacy is a concern in many parts of the world, where we see similar regulations coming into force. GDPR is on par with, or in many cases tougher than these domestic regulations, so the EuroPriSe GDPR-ready certification is of great importance to us. System integrators and end-users can rest assured that they have the right foundation on which to build GDPR-compliant solutions,” says Chief Technology Officer Bjørn Skou Eilertsen, Milestone Systems, and continues: Protect personal data captured “With the continuous technology evolution, video management products have become very powerful, which calls for a responsible use by end-customers. In 2017, Milestone Systems leaders joined more than 150 representatives from tech companies around the world in signing the Copenhagen Letter, a declaration that calls on tech companies to use technology in a responsible, human-centred way. Enabling our customers to protect personal data captured and processed by XProtect VMS systems is a natural extension of this commitment.” The GDPR-ready certification covers Milestone Systems’ top range product XProtect Corporate. The ambition is to certify the entire XProtect VMS product range, to allow all sizes of installations to build their video management installations on a proven GDPR-ready base. Video push functionality Other updates in the new XProtect 2019 R2 release include a simplified process of working with and getting test licenses, as they can now be obtained directly from the Milestone Customer Dashboard, allowing partners to evaluate, test, and demo XProtect for one year without having to purchase the software upfront. The 2019 R2 release includes enhancements to XProtect Mobile by adding audio support The 2019 R2 release also extends the capability of the existing audio support in the XProtect Web Client by adding support for broadcasting announcements to multiple camera-connected speakers at once, allowing personnel to use the XProtect Web Client to do mass communication when they want to warn a crowd or do promotional announcements. Also, the 2019 R2 release includes enhancements to XProtect Mobile by adding audio support to the innovative Video Push functionality. Manage device passwords With the addition of supporting audio, this completes the solution and allows users to create even stronger documentation of incidents, even as they happen. With the 2019 R2 release, it is possible to manage device passwords per device or per group of devices, directly from the XProtect Management Client. This provides an easier and faster way of securing the device security system and addressing potential vulnerabilities. Milestone Systems is taking yet another step forward in ensuring the best possible end-to-end security of XProtect by removing the ability to generate self-signed certificates in the XProtect Mobile Server and eliminating the option to use self-signed certificates in the XProtect Mobile client. This means that users can rest assured that XProtect Mobile complies with the highest security standard in the industry, with support for CA-signed certificates only.
UK organisations are failing to make progress towards strong cybersecurity and are facing paralysis as cybercriminals become more advanced. This is the conclusion drawn from the findings of the 2019 Risk:Value report – ‘Destination standstill. Are you asleep at the wheel?’ – from NTT Security, the specialised security company and centre of excellence in security for NTT Group. Examining the attitudes of 2,256 non-IT decision makers to risk and the value of security to the business, NTT Security’s annual Risk:Value report researches C-level executives and other senior decision makers across 20 countries in the Americas, Asia Pacific and Europe, including the UK, and from across multiple industry sectors. Impact of cyber attacks on businesses Almost all respondents in the UK believe that strong cybersecurity is important to their business over the next 12 monthsUK respondents are aware of the risks posed by cyber threats, with over half (54 per cent) ranking cyber attacks on their organisation as one of the top three issues that could affect businesses in the next 12 months – second only to ‘economic or financial crisis’ (56 per cent). While global organisations rank ‘loss of company data’ in third place, in the UK, 44 per cent believe that cyber attacks on critical infrastructure is a far greater threat. Of the most vulnerable components of critical national infrastructure, telecoms, energy and electricity networks take first, second and third place. Almost all (90 per cent) respondents in the UK believe that strong cybersecurity is important to their business over the next 12 months, compared to 78 per cent who say the same about ‘growing revenue and profit’, while 93 per cent believe cybersecurity has a big role to play in society. According to the report, strong cybersecurity allows UK organisations to ‘ensure the integrity of their data’ (58 per cent) and ‘ensure only the right people have access’ to this data (56 per cent), while around half say it ‘helps protect the brand’. Good and bad practice in cybersecurity Businesses in India, a new country to the research, are now the best performing in the world for cybersecurityFor each organisation in the research for the last two years, NTT Security has analysed the responses for good and bad practice in cybersecurity, with good practice awarded positive scores and bad practice awarded negative scores. The results show a worrying lack of progress globally: in 2019 as in 2018, the average score was just +3, meaning that there is nearly as much bad practice as good practice. Thirty-two per cent of businesses score less than zero: that is, they are exhibiting more bad practice than good practice. Businesses in India, a new country to the research, are now the best performing in the world for cybersecurity, ahead of the UK. The performance of organisations in France, Germany and Singapore has worsened in the last year, as has the performance of the financial services, telecommunications, chemicals, pharmaceuticals, oil and gas and private healthcare sectors, placing doubt on the robustness of critical national infrastructure. Areas where UK organisations are stalling Paying cybercriminals: A third (33 per cent) of UK respondents say that they would rather pay a ransom to a hacker than invest more in security because it would be cheaper, a significant rise of 12 per cent over 2018’s Risk:Value report. In addition, 34 per cent said they would rather pay a ransom to a hacker than get a fine for non-compliance of data regulations. Budgets: Security budgets in the UK are potentially failing to keep up with increasing cyber risk, with the percentage of IT budget attributed to security (15 per cent) in line with the global average. The percentage of operations budget spent on security has fallen by around 1 per cent since 2018, to 16.5 percent in 2019. GDPR compliance: Just 30 per cent globally believe they are subject to GDPR, a year on from the deadline, despite it affecting all organisations that have operations or customers in any European Union member state. The UK is a more respectable 48 per cent – still behind Spain (55 per cent) and Italy (50 per cent). Internal security policies: Businesses are still failing to be proactive internally. At a global level, 58 per cent have a formal information security policy in place, just 1 per cent up over last year. While the UK shows an impressive 70 per cent with a policy in place, this is down on last year’s 77 per cent. Less than half (47 per cent), however, admit that their employees are fully aware of such a policy. Incident response plans: In 2019, 60 per cent of UK organisations have an incident response plan in place in the event of a security breach, a 3 per cent drop. However, this is still above the global average of 52 per cent and among the highest figures across all 20 countries. Blaming IT: Around half (44 per cent) of UK respondents believe cybersecurity ‘is the IT department’s problem and not the wider business’, which is in line with the global average of 45 per cent. While Swedish organisations are most likely to blame IT (60 per cent), Brazil is least likely (28 per cent) to do so. Time spent on recovery from cyber breach The cost of recovering from a breach is estimated to be $1.2 million in the UK, matching the global averageThe 2019 Risk:Value report reveals that the time spent on recovering from a cyber breach continues to rise year on year, with UK respondents estimating that it will take 93 days on average to recover. The UK figure is a significant rise of nearly double over last year’s estimated 47 days. The UK now ranks as one of the highest figures globally compared to one of the lowest in 2018. The cost of recovering from a breach is estimated to be $1.2 million in the UK, matching the global average. Notably in the Nordics, costs are predicted to be much higher, with Norway at $1.8 million and Sweden in first place with expected recovery costs for a business suffering a breach of $3 million. Oil & Gas is the industry sector having to spend the most on recovery efforts to the tune of $2.3 million. The estimated loss in revenue in percentage terms is up year on year in the UK – 12.9 per cent, up from 9.7 per cent in 2018, and in line with the global average of 12.7 per cent. Integration of new technologies The execution of cybersecurity strategies must improve or business risk will escalate for the organisations concerned"Commenting on the 2019 findings, Azeem Aleem, VP Consulting, NTT Security, says: “The Risk:Value report is an interesting barometer based on responses from those sitting outside of the IT function – and is often very revealing. What’s clear is that the world around them is changing, and changing fast, with the introduction of new regulations, integration of new technologies and fast-paced digital transformation projects changing the way we work. "What’s concerning though is that organisations seem to have come to a standstill in their journey to cybersecurity best practice – and it’s particularly worrying to see UK businesses falling behind in some critical areas like incident response planning. “Decision makers clearly see security as an enabler; something that can help the business and society in general. But while awareness of cyber risks is high, organisations still lack the ability, or perhaps the will, to manage them effectively. The execution of cybersecurity strategies must improve or business risk will escalate for the organisations concerned.”
Ping Identity, the pioneer in Identity Defined Security, announced a significant update to PingOne for Customers, the cloud-delivered Identity-as-a-Service (IDaaS) offering built for developers. The API-first solution can now deliver seamless and secure push notifications from custom mobile applications that can be used for passwordless and advanced multi-factor authentication. The cloud identity solution helps development teams speed time to launch their applications, while also taking security concerns off their plates and letting them maintain customisation and control over their user experiences. This release marks another milestone for PingOne for Customers that makes embedding secure identity services— login, registration, multi-factor authentication and others — into applications easier than ever. Application developers using PingOne for Customers can now: Convenient and secure authentication factor These push notifications are a more convenient and secure authentication factor than SMS or email OTPsPingOne for Customers is now equipped with a mobile SDK that allows development teams to send push notifications to custom mobile applications for multi-factor authentication (MFA). These push notifications are a more convenient and secure authentication factor than SMS or email one-time passwords (OTPs). Push notifications to custom mobile apps also can be used to achieve strong passwordless authentication, allowing consumers to skip using a password entirely. Social login through different methods PingOne for Customers now has authentication APIs for social login and registration with Facebook. Application teams can add one-click registration and login into their user interfaces in any manner they see fit. They can embed a social login button or link in a hidden dropdown, or lead users directly to it if it’s the method of login they prefer their consumers to use. Social login — like other elements of PingOne for Customers’ authentication APIs — gives development teams full control over their consumer authentication experiences. Login using SAML identity providers PingOne for Customers can now accept inbound SAML assertions and support just-in-time provisioning. This capability helps enable enterprises to route all customer logins through a single sign-on (SSO) experience. This allows enterprises to achieve federated SSO across their entire application portfolio and connect to their largest customers, thus enabling their customers to reuse their existing identities without worrying about tedious onboarding and identity management tasks. Storing data in an EU data centre This helps ensure compliance with data sovereignty and regulations such as GDPRThe solution has added a dedicated data centre in the European Union, giving enterprises confidence that user data added to the EU data centre is completely isolated from users living in other parts of the world. This helps ensure compliance with data sovereignty and regulations such as GDPR, which restricts the allowance of EU citizens’ personal data being sent out of the EU. Securely getting identity into applications “When PingOne for Customers launched, it took a huge step forward in allowing development teams within large enterprises to quickly and securely get identity into their applications,” said Steve Shoaff, chief product officer, Ping Identity. “This latest release builds on that ease-of-use. It drastically expands the use cases PingOne for Customers can support and enhances critical features that allow development teams to build secure experiences to really wow their consumers.”
Tavcom Training, part of Linx International Group and IFSEC’s education partner, revealed details of the 24 free-to-attend and CPD-accredited education sessions, which will be presented at the Future of Security Theatre (Stand: IF3140), this year at IFSEC International in London. Tavcom Training has compiled an education programme that addresses many of the most talked about trends and issues amongst security practitioners. Topics being presented by Tavcom Training’s expert tutors include how to counteract the menace of cybercrime, the impact of artificial intelligence on electronics security, future-proofing CCTV networks and improving security through integration. Cybersecurity best practices guidance The BSIA will also join Tavcom Training in the theatre to provide cybersecurity best practices guidanceSessions will also be dedicated to the threat of drone attacks and available countermeasures, the hackability of autonomous vehicles, and whether the security sector is ready for 5G, as mobile operators begin switching on UK networks this year. Also, with issues regarding the use of facial recognition currently hitting the headlines and a year on from the introduction of GDPR, the challenge of running effective video surveillance that balances privacy and security will be debated. The BSIA will also join Tavcom Training in the theatre to provide cybersecurity best practices guidance, whilst the SSAIB will deliver an intruder alarm standards update involving PD6662. Learning to address the security issues Tavcom Training is proud to once again be IFSEC’s education partner and Head of Sales Andrew Saywell, comments: “This year, we have put together a packed programme of the most pertinent topics, delivered by world-leading subject matter experts. Over the three-days, we are offering security practitioners an unmissable opportunity to learn how they can address the issues affecting them today, whilst readying them for what lies ahead.” The Future of Security Theatre will open at 10.45am each day of IFSEC International with an introduction to the Certified Technical Security Professional (CTSP) Register, which is operated by Tavcom Training and supported by the BSIA and SSAIB. CTSP is a publicly searchable online Register of those fulfilling technical roles including installation, maintenance and commissioning of technicians/engineers, auditors and consultants. It is an important initiative that is helping to raise standards throughout the sector.


Expert commentary
There’s a lot of hype around the term ‘digital transformation.’ For some, it’s the integration of digital technology into everyday tasks. For others, it’s the incorporation of innovative processes aimed at making business optimisation easier. In most cases, digital transformation will fundamentally change how an organisation operates and delivers value to its customers. And within the security realm, the age of digital transformation is most certainly upon us. Technology is already a part of our day-to-day lives, with smart devices in our homes and the ability to perform tasks at our fingertips now a reality. No longer are the cloud, Internet of Things (IoT) and smart cities foreign and distant concepts full of intrigue and promise. Enhancing business operations We’re increasingly seeing devices become smarter and better able to communicate with each other These elements are increasingly incorporated into security solutions with each passing day, allowing enterprises the chance to experience countless benefits when it comes to enhancing both safety and business operations. The term ‘connected world’ is a derivative of the digital transformation, signifying the increasing reliance that we have on connectivity, smart devices and data-driven decision-making. As we become more familiar with the advantages, flaws, expectations and best practices surrounding the connected world, we can predict what issues may arise and where the market is heading. We’re increasingly seeing devices become smarter and better able to communicate with each other through the IoT to achieve both simple goals and arduous tasks. Within our homes, we’re able to control a myriad of devices with commands (‘Hey Google...’ or ‘Alexa...’), as well as recall data directly from our mobile devices, such as receiving alerts when someone rings our doorbell, there’s movement in our front yard or when a door has been unlocked. Analytics-driven solutions The focus is now shifting to the business impacts of connectivity between physical devices and infrastructures, and digital computing and analytics-driven solutions. Within physical security, connected devices can encompass a variety of sensors gathering massive amounts of data in a given timeframe: video surveillance cameras, access control readers, fire and intrusion alarms, perimeter detection and more.As the data from each of these sensors is collected and analysed through a central platform, the idea of a connected world comes to fruition, bringing situational awareness to a new level and fostering a sense of proactivity to identifying emerging threats. The connected world, however, is not without its challenges, which means that certain considerations must be made in an effort to protect data, enhance structured networking and apply protective protocols to developing technology. Physical security systems We can expect to see the conversations regarding data privacy and security increase as well As the use of connected devices and big data continue to grow, we can expect to see the conversations regarding data privacy and security increase as well. Connectivity between devices can open up the risk of cyber vulnerabilities, but designing safeguards as technology advances will lessen these risks. The key goal is to ensure that the data organisations are using for enhancement and improvements is comprehensively protected from unauthorised access. Manufacturers and integrators must be mindful of their products' capabilities and make it easy for end users to adhere to data sharing and privacy regulations. These regulations, which greatly affect physical security systems and the way they're managed, are being implemented worldwide, such as the European Union's General Data Protection Regulation (GDPR). In the United States, California, Vermont and South Carolina have followed suit, and it can be expected that more countries and U.S. states develop similar guidelines in the future. Technology is already a part of our day-to-day lives, with smart devices in our homes and the ability to perform tasks at our fingertips now a reality Automatic security updates Mitigating the concerns of the ‘connected world’ extends beyond just data privacy. IoT technology is accelerating at such a pace that it can potentially create detrimental problems for which many organisations may be ill-prepared - or may not even be able to comprehend. The opportunities presented by an influx of data and the IoT, and applying these technologies to markets such as smart cities, can solve security and operational problems, but this requires staying proactive when it comes to threats and practicing the proper protection protocols. As manufacturers develop devices that will be connected on the network, integrating standard, built-in protections becomes paramount. This can take the form of continuous vulnerability testing and regular, automatic security updates. Protocols are now being developed that are designed to ensure everything is encrypted, all communications are monitored and multiple types of attacks are considered for defensive purposes to provide the best security possible. IoT-connected devices Hackers wishing to do harm will stop at nothing to break into IoT-connected devices Built-in protection mechanisms send these kinds of systems into protection mode once they are attacked by an outside source. Another way for manufacturers to deliver solutions that are protected from outside threats is through constant and consistent testing of the devices long after they are introduced to the market. Hackers wishing to do harm will stop at nothing to break into IoT-connected devices, taking every avenue to discover vulnerabilities. But a manufacturer that spends valuable resources to continue testing and retesting products will be able to identify any issues and correct them through regular software updates and fixes. ‘IoT’ has become a common term in our vocabularies and since it’s more widely understood at this point and time, it's exciting to think about the possibilities of this revolutionary concept. Providing critical insights The number of active IoT devices is expected to grow to 22 billion by 2025 — a number that is almost incomprehensible. The rise of 5G networks, artificial intelligence (AI) and self-driving cars can be seen on the horizon of the IoT. As more of these devices are developed and security protocols are developed at a similar pace, connected devices stand to benefit a variety of industries, such as smart cities. Smart cities rely on data communicated via the IoT to enhance processes and create streamlined approaches Smart cities rely on data communicated via the IoT to enhance processes and create streamlined approaches to ensuring a city is well-run and safe. For example, think of cameras situated at a busy intersection. Cameras at these locations have a variety of uses, such as investigative purposes in the event of an accident or for issuing red-light tickets to motorists. But there are so many other possible purposes for this connected device, including providing critical insights about intersection usage and traffic congestion. These insights can then be used to adjust stoplights during busy travel times or give cities valuable data that can drive infrastructure improvements. Physical security market The impact of connected devices on cities doesn’t stop at traffic improvement. The possibilities are endless; by leveraging rich, real-time information, cities can improve efficiencies across services such as transportation, water management and healthcare. However, stringent protections are needed to harden security around the networks transmitting this kind of information in an effort to mitigate the dangers of hacking and allow this technology to continuously be improved. Whether you believe we’re in the midst of a digital transformation or have already completed it, one thing is certain: businesses must begin thinking in these connectivity-driven terms sooner rather than later so they aren’t left behind. Leveraging smart, connected devices can catapult organisations into a new level of situational awareness, but adopting protections and remaining vigilant continues to be a stalwart of technological innovation within the physical security market and into the connected world.
In the next three years, software as a service ‘SaaS’ is likely to grow by around 23%. That’s according to reports by Cognizance. It’s growth rests on the adoption of cloud public, private and hybrid. Without the cloud applications can’t truly pervade an organisation, nor can operational or customer benefits be derived. But there’s no point in adopting the cloud if it’s not secure - the proliferation of SaaS demands security, none more so in a GDPR world. Large cloud environment But modern applications are difficult to secure. SaaS based, web, mobile, or custom made all work on different platforms and frameworks. It’s a headache managing all the APIs needed to automate and sync tools. This introduces risk. The greater the number of apps the broader the attack surface and therefore the greater the chance there will be blind posts. Keeping up to date with updates and new security policies is never easy There are also added hazards. Applications are always changing. Keeping up to date with updates and new security policies is never easy, but especially hard in a large cloud environment. Failure to adopt changes puts the organisation and customers at further risk. But the biggest obstacle is keeping applications and APIs out of harm’s way. It’s a near on impossible task when attack methods and sources are constantly changing. More advanced threats To be specific there are four emerging challenges when it comes to protecting apps. Firstly, managing the good and the bad bots and spotting which is which, secondly securing APIs as IoT adoption intensifies, thirdly the relationship between securing apps and DevOps and ensuring ownership of security, and finally denial of service attacks that use newer tactics such as brute force. Basic security hygiene dictates that security teams refer to the OWASP Top 10. It’s considered the ‘ten commandments’ in security circles, providing a starting point for ensuring the most common threats and vulnerabilities are managed, detected and mitigated. Web Application Firewalls also come into the fray with guidance on testing for the ways hackers exploit vulnerabilities. However, though the basics are good to have in place, there are always more advanced threats to take care of. Bots being a big one. Bot management The more sophisticated bots will go as far as to mimic human behaviourAstonishingly about half of internet traffic is bot generated. Half of it is from bad bots. Discerning the good from the bad isn’t easy though and explains why around 80% of organisations can’t make a clear distinction between the two. Bad bots can do a lot of damage like take over user accounts and payment information, scrape confidential data, or hold up inventory and skew marketing metrics. The more sophisticated bots will go as far as to mimic human behaviour and bypass tools like CAPTCHA and even device fingerprinting based protection ineffective. Securing APIs Then there’s the complications derived from machine-to-machine and internet of things (IoT) communications. The more integrated ‘things’, the more data there is, the more events there are report on, and the more activity there is reliant on APIs to make the ‘things’ useful and agile. That’s what makes them a target and the threats to API vulnerabilities include injections, protocol attacks, parameter manipulations, invalidated redirects and bot attacks. There’s the risk that business will grant access to sensitive data, without inspecting nor protecting APIs to detect cyberattacks. There’s the risk that business will grant access to sensitive data, without inspecting nor protecting APIs to detect cyberattacks Denial of service (DoS) You might think there’s little to add to the swathes of denial of service warnings. Yet when businesses are still being targeted and feeling the ill effects it’s worth mentioning again that different forms of application-layer DoS attacks are still very effective at bringing application services down. Even the greatest application protection is worthless if the service itself can be knocked down This includes HTTP/S floods, low and slow attacks (famous examples being Slowloris, LOIC, Torshammer), dynamic IP attacks, buffer overflow, Brute Force attacks and more. The IoT botnets are the culprits and have made application-layer attacks so popular that they have become the preferred DDoS attack vector. Even the greatest application protection is worthless if the service itself can be knocked down. Continuous security It may seem easy to say but for modern DevOps, agility is valued at the expense of security. We see time and again examples of where development and roll-out methodologies, such as continuous delivery, mean applications are exposed to threats each time they are modified. There’s no doubt it is extremely difficult to maintain a valid security policy and protect sensitive data in dynamic conditions without creating a high number of false positives. But we now find that this task has gone way beyond the capability of humans. Organisations now need machine-learning based solutions that map application resources, analyse possible threats, and create and optimise security policies in real time. Reaching this level in security planning should be a big wake-up call that security automation is an essential not a nice to have. Running security plans The board needs to know that investment is critical to protect their profits It’s critical that the security solution your company adopts protects applications on all platforms, against all attacks, through all the channels and at all times. The board needs to know that investment is critical to protect their profits. As such there are six things they need to know: Application security solutions must encompass web and mobile apps, as well as APIs. Bot management solutions need to overcome the most sophisticated bot attacks. DDoS mitigation must be an essential and integrated part of application security solutions. A future-proof solution must protect containerised applications, severless functions, and integrate with automation, provisioning and orchestration tools. To keep up with continuous application delivery, security protections must adapt in real time. A fully managed service should be considered to remove complexity and minimise resources. No amount of human power will beat the bots. That last point is the most critical. Skill is essential in designing and running security plans and policies that work. But the plans can’t be executed without automated tools. There are just too many decisions to make in a split second. Combining both is the path to an effective app protection strategy and a stronger brand to boot.
The past decade has seen unprecedented growth in data creation and management. The products and services that consumers use every day – and the systems businesses, large and small, rely on – all revolve around data. The increasing frequency of high-profile data breaches and hacks should be alarming to anyone, and there’s a danger data security could worsen in the coming years. According to DataAge 2025, a report by IDC and Seagate, by 2025, almost 90% of all data created in the global datasphere will require some level of security, but less than half of it will actually be secured. Nuanced approach to data security Security is a circle, not a line. Every actor involved in the handling and processing of data has responsibility for ensuring its securityThe rapid proliferation of embedded systems, IoT, real-time data and AI-powered cognitive systems – as well as new legislation like the European Union’s GDPR – means that data security has to be a priority for businesses like never before. With data used, stored and analysed at both the hardware and software level, we need a new and more nuanced approach to data security. Security is a circle, not a line. Every actor involved in the handling and processing of data has responsibility for ensuring its security. What this means in practice is renewed focus on areas of hardware and software protection that have previously not been top of mind or received large amounts of investment from businesses, with security at the drive level being a prime example. The importance of data-at-rest encryption In a world where data is everywhere, businesses need always-on protection. Data-at-rest encryption helps to ensure that data is secure right down to the storage medium in which it is held in a number of ways. Hardware-level encryption, firmware protection for the hard drive, and instant, secure erasing technology allow devices to be retired with minimal risk of data misuse. Data-at-rest encryption helps to ensure that data is secure right down to the storage medium in which it is held in a number of ways A recent report from Thales Data Threat found that data-at-rest security tools can be a great way to help protect your data. However, it’s important to note that this must be used in conjunction with other security measures to ensure that those that fraudulently gain access to your key management system can’t access your data. Ensuring drives to be Common Criteria compliant One straightforward test any business can do to ensure its storage is as secure as possible is to check whether the drives are Common Criteria compliantDespite the clear benefits, this kind of encryption lags behind other areas, such as network and endpoint security, in terms of the investment it currently receives. The same Thales Data Threat report found that data-at-rest security was receiving some of the lowest levels of spending increases in 2016 (44%), versus a 62% increase for network and a 56% increase for endpoint security. One straightforward test any business can do to ensure its storage is as secure as possible is to check whether the drives are Common Criteria compliant. Common Criteria is an international standard for computer security certification, and drives that meet this standard have a foundational level of protection which users can build on. Providing an additional layer of security The retail industry has seen a spate of security breaches recently, with several major US brands suffering attacks over the busy Easter weekend this year. As frequent handlers of consumer card information, retailers are particularly vulnerable to attack. Data-at-rest encryption could enhance security in these instances, providing an additional layer of security between customer records and the attacker The advanced threats retailers face can often evade security defences without detection. Such a breach could grant attackers unrestricted access to sensitive information for possibly months – some breaches are known to have been detected only after consumer payment details appeared on the dark web. These types of undetected attacks are highly dangerous for retailers, which are relatively helpless to protect consumer information once their defences have been compromised. Data-at-rest encryption could significantly enhance security in these instances, providing an additional layer of security between customer records and the attacker which has the potential to make the stolen data valueless to cyber criminals. Industries in need of data-at-rest encryption Healthcare organisations, which hold highly sensitive customer and patient information, have a strong use case for data-at-rest encryption. With the widespread adoption of electronic patient health records, that data is increasingly more vulnerable to attack. Recent research from the American Medical Association and Accenture revealed that 74% of physicians are concerned over future attacks that may compromise patient records. With the widespread adoption of electronic patient health records, that data is increasingly more vulnerable to attack The financial sector would also benefit from further investment in data-at-rest encryption, given 78% of financial services firms globally are planning on increasing their spending on critical data, according to Thales’ Data Threat Report. It’s helpful to view security as a circle in which every piece of hardware and software handling the data plays its part SMEs and enterprises are not immune to security threats either – with growing numbers of people traveling for work or working remotely, the risk of sensitive business data becoming exposed via device theft is heightened. Usernames and passwords have little use if thieves can simply remove unencrypted hard drives and copy data across. Securing every hardware and software Technology vendors often focus on aspects of hardware and application security that are within their control. This is understandable, but it risks proliferating a siloed approach to data security. There is no single line for data security -- rather, it’s helpful to view it as a circle in which every piece of hardware and software handling the data plays its part. There’s a clear need for more industry dialogue and collaboration to ensure data security is effectively deployed and connected throughout the security circle and across the value chain.
Security beat
Ethics is a particularly important subject in an industry such as fire and security because the result of unethical actions might make the difference in life and death. For example, if an employee acts unethically when servicing a fire extinguisher, the result could be to burn down the building. Although ethics is not a common topic of discussion in the fire and security industry, perhaps it should be. Chubb Fire and Security is a company that provides an example of how an emphasis on ethics can benefit a company, their employees, their customers and the whole world. Fire safety and security risks “The fire and security industry is different than others because lives and people’s safety are on the line,” says Harv Dulay, Director of Ethics and Compliance at Chubb Fire and Security. “Our purpose is to protect clients from fire safety and security risks. This is a business where no one should take short cuts. It is important to do the right thing all the time, every time, and it’s about protecting lives and property.” At Chubb, we have a code of ethics, our ‘bible,’ that is issued to employees when they start" “At Chubb, we have a code of ethics, our ‘bible,’ that is issued to employees when they start,” says Dulay. “Within the bible are core fundamental rules about what’s acceptable and not acceptable. We lay it out for employees very specifically. They understand and embrace the code of ethics, which is based on trust, integrity, respect, innovation and excellence.” “If you get those right, the business moves in the right direction. A key piece of our ethics policy is based on trust. We relate to others with openness, transparency, and empathy. It makes Chubb a better place to work and enables us to provide better service to customers.” Fire audit For Chubb, ethics is not just theoretical, but ethical concepts play out every day in practical ways. An example might be an engineer who goes to a customer’s site and is asked to do a task that is outside his or her duties and/or not allowed under the ethics policy. The pressure might be even greater if the employee is struggling to meet a sales figure. The code of ethics addresses specific situations and outlines the behaviour that is expected. In another example, a customer asked a Chubb technician to forge a certificate saying the customer had previously passed a fire audit in order to validate his previous year’s insurance. Showing ethical integrity, the technician was able to cite the company’s Code of Ethics and refuse to do it. The technician also reported the situation to his Ethics and Compliance Officer. Customers benefit, too. Delivering ethics excellence It’s a message heard from the top down, from everyone in the company" One of Chubb’s sales associates immediately reporting a situation in which all the tenders and competitors’ prices were visible as they prepared a tender for upload to a customer portal. Not only did the sales associate deliver ethics excellence by reporting the issue, he also helped a grateful customer who thereby avoided anti-trust issues, says Dulay. “Ethics is not just a current issue,” says Dulay. “It’s embedded in our values and has been since the beginning. Ethics is making sure people do the right things.” Ethics is integrated into the Chubb business model, and everyone knows what is expected of them. “It’s a message heard from the top down, from everyone in the company.” On-line training modules Ethics discussions begin for employees at Chubb when they join the company; clear instructions about ethics are included as part of employee induction. There are nine modules of ethics training during employee orientation, and a discussion with an Ethics and Compliance Officer is part of the onboarding process. The training program includes information about ethics, company expectations around ethics, where to go for questions about ethical issues, and details of the anonymous ombudsman program. Additionally, field staff are trained by their supervisors via regular face-to-face ethics toolbox talks. Office staff complete a series of on-line ethics training modules regularly. A series of supervisor-led trainings encourage managers to deliver face-to-face ethics training to their team, citing real-life examples. Healthy discussions are encouraged to deal with any ‘gray areas.’ Worldwide implementation of data security Some 14,000 employees globally have multiple options when it comes to reporting an issue Dulay estimates that ethics and compliance officers spend about half their time answering questions and clarifying for employees what’s expected in the code of ethics. Some 14,000 employees globally have multiple options when it comes to reporting an issue, and there are full-time Ethics and Compliances Officers in every country where Chubb does business. A reflection of Chubb’s global approach to compliance is their worldwide implementation of data security requirements of Europe’s General Data Protection Regulation (GDPR); the company saw the benefits of the program for any jurisdiction. Training and education are part of Chubb’s investment in ethics. For example, a recent module on ‘respect in the workplace’ covered the need to create a company culture in which everyone feels respected. “Training and continuous communication are embedded in the organisation,” says Dulay. Managing potential conflicts proactively “We invest in the process,” says Dulay. “We have had employees who left the company and then come back. They realised the importance of ethics and rejoined us. We start with the foundation that we would rather lose business than give up our ethical standards,” says Dulay. Some business is not worth getting if you don’t adhere to your values" “We won’t abandon our policies even if there is money at stake. Some business is not worth getting if you don’t adhere to your values. We manage potential conflicts proactively by creating and instituting methods in which employees have access to tools they can use to be successful and adaptable in times of change,” says Dulay. “Also, we will not tolerate retaliation against any employee who reports wrongdoing – regardless of the outcome of the investigation.” Forming good ethics behaviour And while there is no specific monetary value assigned to good ethical practices, success can be measured. “We measure it by people’s conduct, the number of cases we have, and awareness,” says Dulay. “It’s good for employee morale, and it’s good for customers and our business. It’s not measurable, but it is fundamental for business and customers.” “The work we do as a company can impact people’s lives so it is important that everyone has an understanding of the importance of their role,” says Dulay. A common misconception about ethics is: “If no one is watching, it must be ok.” However, Dulay says it is the things employees do when no one is watching or checking in on them that form good ethics behaviour. During training, Chubb emphasises that ethics is about doing the right thing, all the time even if no one is watching.
As police use of live facial recognition (LFR) is called into question in the United Kingdom, the concerns can overshadow another use of facial recognition by police officers. Facial recognition is incorporated into day-to-day police operations to identify an individual standing in front of them. This more common usage should not be called into question, says Simon Hall, CEO of Coeus Software, which developed PoliceBox, a software that enables police officers to complete the majority of their daily tasks from an app operating on a smart phone. Time-consuming process There are two different use cases for facial recognition in the context of law enforcement" “Verifying the identity of an individual standing in front of you via facial recognition should be no more controversial than taking a fingerprint for the same purpose,” says Hall. “We are not talking about mass surveillance here, but the opportunity to use technology to make an officer’s day more efficient. Verifying a person’s ID is a time-consuming process if you have to take them to the station, so being able to do this more quickly should be welcomed as a positive step to modernise policing.” Because the use of facial recognition by police has proven to be a divisive topic, Simon is eager to highlight the distinction between the use of facial recognition for ID verification and the more controversial mass surveillance that some police forces have trialed. “There are two different use cases for facial recognition in the context of law enforcement,” says Hall. Number-plate recognition “Firstly, there is facial recognition to verify a person’s identity (typically done face-to-face with the individual concerned and using the Police National Computer [PNC] database). This is no more controversial than taking an individual’s fingerprint to verify their ID but can be conducted more quickly if the officer has the capability on their smart phone. The second common use of facial recognition is to identify suspects quickly via mass surveillance. This is more controversial.” The focus for PoliceBox is ID verification only, he adds. The focus of facial recognition for PoliceBox is ID verification only First, there is the matter of consent. In the context of facial recognition in public situations, it is very difficult to inform everyone that they are being observed, so they cannot give their informed consent, says Hall. Then there is the inability for people to ‘opt out’ of the process. Unlike with driving a car, where one can technically opt-out of the rules of the road (and avoid technologies like number-plate recognition) by choosing not to drive, there is no such option for facial recognition. National surveillance system Secondly, many-to-many matching (matching lots of images to lots of database records) is more likely to produce false matches, resulting in possible perceived harassment of individuals who happen to match a person of interest, notes Hall. The government is openly exploring plans to develop a national surveillance system using facial recognition Lastly, Hall says there are legitimate concerns that the technology could be misused for discrimination or exerting control over populations. In China, for example, where facial recognition technology is already widely used in the commercial sector, the government is openly exploring plans to develop a national surveillance system using facial recognition. “Mass surveillance can be used in two ways; real-time, whereby ‘people of interest’ are flagged up as soon as a match is detected, and historical, where the movements of individuals around the time of a reported crime are established after the event,” says Hall. Repeated false matches “These two modes probably require different types of safeguards. For example, it may be appropriate to obtain a warrant to search historical data, to prevent Cambridge-Analytica style mining of personal data. For real time data, safeguards against repeated false matches are needed to prevent harassment of falsely matched individuals.” Properly implemented, facial recognition can be consistent with the GDPR. The principles are no different from obtaining a fingerprint to confirm identity, where consent would normally be given. For PoliceBox, using fingerprint or facial identification is typically a time-saving solution, benefitting both parties, instead of going to the police station and establishing identity there. Signed consent can be obtained on the spot using a secure on-screen signature. The PoliceBox solution is based on the UK legal framework and would also be appropriate for countries whose laws are similar to the UK Facial recognition algorithms Fingerprints and facial images can be automatically deleted once used to establish identity. There are special provisions for the collection of personal data for law enforcement purposes without consent, and some test cases for mass surveillance could go through the Information Commissioner’s Office (ICO). This is particularly significant where private operators are concerned. PoliceBox solution is also internationalised and can be used in different languages The PoliceBox solution is based on the UK legal framework and would also be appropriate for countries whose laws are similar to the UK. It is also internationalised and can be used in different languages. Facial recognition algorithms and databases are typically implemented by the relevant law enforcement body (such as the Home Office) and not directly within the product, which acts as a front-end to those systems. Public sector organisations Hall sees several remaining challenges related to police use of facial recognition: The adoption of cloud-based software-as-a-service (SaaS) solutions within the public sector. The existing infrastructure in the public sector has evolved over a number of years and there are significant legacy systems in place that need to be refreshed/replaced; Need for proven technology. Public sector organisations are risk-averse and often insist on being able to reference existing installations, which creates a Catch 22 problem when introducing new technology as someone has to be first; Interrupting business-as-usual. Most organisations already have some form of an existing solution. Even if this system provides poor ROI and is extremely dated, one must still overcome ‘the better the devil you know’ policy; A reluctance by some suppliers to share information with other solutions via APIs. This has stifled innovation for some time. Improving officers’ wellbeing These challenges are slowly being overcome. “I am confident we will soon see an accelerated adoption of platforms such as ours to deliver the financial and efficiency savings that are needed to bring the public sector into the 21st century,” says Hall. One of the biggest themes to come out of the recent Home Office Review into frontline policing was the need to improve officers’ wellbeing. Law enforcement has to deal with some of the most difficult and harrowing situations on an almost daily basis. The administrative burden can also be problematic, says Hall. “If we can help to reduce the administrative burden placed on officers – even by a little bit – the overall improvements in effectiveness and well-being when magnified across a whole force will be significant.”
Police in the United Kingdom have been testing the effectiveness of live facial recognition (LFR) for several years now, but future uses of the technology have been called into question. The Information Commissioner’s Office (ICO), an independent authority that seeks to uphold information rights in the public interest, has weighed in on issues of data privacy related to LFR, and Members of Parliament (MPs) have called for a moratorium on uses of the technology. The big question is whether the benefits of LFR outweigh its impact on privacy rights. Live facial recognition I believe that there needs to be demonstrable evidence that the technology is necessary" The House of Commons Science and Technology Committee has expressed concerns about bias, privacy and accuracy of facial recognition systems and urged the U.K. government to issue a moratorium on further live facial recognition trails until regulations are in place to address bias and data retention. According to Elizabeth Denham, U.K. Information Commissioner: “[Police trials of LFR] represent the widespread processing of biometric data of thousands of people as they go about their daily lives. And that is a potential threat to privacy that should concern us all.” Denham says live facial recognition (LFR) is a high priority area for ICO. “I believe that there needs to be demonstrable evidence that the technology is necessary, proportionate and effective considering [its] invasiveness,” she says. Potential public distrust “Any organisation using software that can recognise a face amongst a crowd and then scan large databases of people to check for a match in a matter of seconds, is processing personal data,” says Denham. General Data Protection Regulation (GDPR) wording specifies biometric data as a ‘sensitive’ category of personal information. London’s Metropolitan Police Service performed 10 trials of live facial recognition at various venues in 2016, 2017 and 2018. The London Police Ethics Panel reviewed the trials and concluded that additional use of the technology would be supported if certain conditions were met. One condition is if the “overall benefits to public safety [are] great enough to outweigh any potential public distrust in the technology.” Each deployment should be assessed and authorised as necessary and proportionate. Operators should be trained to understand associated risks and to be accountable, and there should be evidence that the technology does not promote gender or racial bias. Develop strict guidelines Met Police used NEC’s NeoFace technology to analyse images of the faces of people on a watch list The Ethics Panel also specified that both the Metro Police and Mayor’s Office for Policing and Crime should develop strict guidelines to ensure that deployments balance the benefits of the technology with the potential intrusion on the public. “We want the public to have trust and confidence in the way we operate as a police service, and we take the report’s findings seriously,” said Detective Chief Superintendent Ivan Balhatchet, who led the trials. In its 10 trials of live facial recognition, Met Police used NEC’s NeoFace technology to analyse images of the faces of people on a watch list. The system measured the structure of each face, including distance between eyes, nose, mouth and jaw to create facial data, which was used to match against the watch list. The system only kept faces matching the watch list, and only for 30 days. Non-matches are deleted immediately. More accurate identification An independent review of the trials, commissioned by the Metropolitan Police, concluded it is ‘highly possible’ that the Met’s ‘trial’ deployments would not satisfy the key legal test of being considered ‘necessary in a democratic society’ if challenged in the courts, according to U.K. human rights advocacy group Liberty. South Wales Police have partnered with NEC to formally pilot facial recognition technology. NEC’s real-time solution enables trained officers to monitor movement of people at strategic locations. “Facial recognition technology enables us to search, scan and monitor images and video of suspects against offender databases, leading to faster and more accurate identification of persons of interest,” says Assistant Chief Constable Richard Lewis. “The technology can also enhance our existing CCTV network in the future by extracting faces in real time and instantaneously matching them against a watch list of individuals, including missing people.” U.K. human rights advocacy group Liberty has taken legal action on behalf of one Cardiff resident against South Wales Police Intrusive technology “We are very cognisant of concerns about privacy, and we are building in checks and balances into our methodology to reassure the public that the approach we take is justified and proportionate,” says Lewis. U.K. human rights advocacy group Liberty has taken legal action on behalf of one Cardiff resident against South Wales Police over its use of facial recognition. “Facial recognition is an inherently intrusive technology that breaches our privacy rights,” says lawyer Megan Goulding at Liberty. “It risks fundamentally altering our public spaces, forcing us to monitor where we go and who with, seriously undermining our freedom of expression.” ICO’s Denham says any judgment resulting from the legal action will form an important part of ICO’s investigation and will be considered before ICO’s final findings are published. Information management South Wales Police offers the following assurance: “Data will only be retained as long as is necessary for a policing purpose, as per guidance within the Authorised Policing Practice on information management.” Facial recognition systems are yet to fully resolve their potential for inherent technological bias" One concern is that live facial recognition ‘discriminates’ against women and people of colour because it disproportionately misidentifies them, thus making them more likely to be subject to a police attention. ICO’s Elizabeth Denham comments: “Facial recognition systems are yet to fully resolve their potential for inherent technological bias; a bias which can see more false positive matches from certain ethnic groups.” Taking regulatory action ICO has also considered data protection ramifications of commercial companies using LFR. Denham says: “The technology is the same and the intrusion that can arise could still have a detrimental effect. In recent months, we have widened our focus to consider use of LFR in public spaces by private sector organisations, including where they are partnering with police forces. We will consider taking regulatory action where we find non-compliance with the law.” A 27-page U.K. Home Office Biometrics Strategy sets out an overarching framework within which organisations in the Home Office sector will consider and make decisions on the use and development of biometric technology. However, Biometrics Commissioner Paul Wiles says the document “doesn’t propose legislation to provide rules for the use and oversight of new biometrics, including facial images. Given that new biometrics are being rapidly deployed or trialed, this failure to set out more definitively what the future landscape will look like in terms of the use and governance of biometrics appears to be short-sighted.”
Case studies
Genetec Inc., a technology provider of unified security, public safety, operations and business intelligence solutions, announces its solutions have been selected by the Royal Borough of Windsor and Maidenhead (RBWM) for region-wide CCTV monitoring and community safety purposes. The new system will result in better coverage across the borough and enable information to be quickly shared with regional police as and when required. At the heart of the programme is a completely refurbished monitoring centre, equipped with the Genetec flagship unified security platform Security Center and other complementary Genetec security solutions. KiwiVision privacy protector The open federated architecture of the Genetec infrastructure provides the foundation for a system that can scale and evolve as needs change These include the KiwiVision Privacy Protector to simplify GDPR compliance, Genetec Mission Control to guide operators in providing a consistent response to incidents and Genetec Clearance for the easy and secure sharing of evidence with local law enforcement. The open federated architecture of the Genetec infrastructure provides the foundation for a system that can scale and evolve as needs change. It also allows RBWM to protect its past investments by retaining the majority of its existing cameras, alongside the 200 that will be added, upgraded or relocated. “The safety of residents and visitors in the borough is a priority, and we are pleased to be installing a new-state of the art system that delivers this,” said Cllr. Mike Airey, cabinet member for environmental services. Improved information sharing “We not only benefit from reduced operating costs and improved information sharing with local police, but we also gain access to cutting edge privacy controls that make it far simpler for us to maintain our compliance with the EU GDPR and other data protection regulations.” The project began when specialist town centre video surveillance consultancy firm Global MSC Security (MSC) was called in to assess the Royal Borough’s existing analogue video surveillance system, its fitness for purpose and how it could be cost-effectively improved. This resulted in a competitive tendering exercise won by Computerised & Digital Security Systems Ltd. Cost-effective response (CDS) who designed a state-of-the-art wireless camera system to support the Genetec open architecture video management system (CDS) who designed a state-of-the-art wireless camera system to support the Genetec open architecture video management system. Some of the key technical benefits delivered by CDS include full HD recording, advance graphical mapping, advanced incident response, customisable and extended video storage retention, and various features to aid data protection regulation compliance such as automated pixelisation of images and end-to-end encryption to enhance privacy controls “Genetec is delighted to see our solutions chosen by the Royal Borough of Windsor & Maidenhead for this well thought out upgrade that will benefit the council, local police and citizens”, added Dan Meyrick, Regional Sales Manager, Genetec Inc. “I would like to thank and congratulate our partner CDS for producing a high quality and cost-effective response that delivered against the customer’s requirements.”
Round table discussion
In the digital age, software is a component of almost all systems, including those that drive the physical security market. A trend toward hardware commoditisation is making the role of software even more central to providing value to security solutions. Software developments make more things possible and drive innovation in the market. We asked this week's Expert Panel Roundtable: How do software improvements drive physical security?
The definition of a standard is “an authoritative principle or rule that usually implies a model or pattern for guidance, by comparison with which the quantity, excellence, correctness, etc., of other things may be determined.” In technology markets, such as physical security, standards are agreed-upon language, specifications or processes that are used across the board by multiple stakeholders to enable easier interconnectivity and smoother operation of systems. We asked this week’s Expert Panel Roundtable: How are standards shaping change in the physical security market?
ISC West 2019 is in the industry’s rear-view mirror, and what a show it was! The busy three days in April offered a preview of exciting technologies and industry trends for the coming year. We asked this week’s Expert Panel Roundtable: What was the big news at ISC West 2019?