Report on the Cyber Security Management for Smart ReclinerSurface Transport & Logistics
Smart devices have proliferated worldwide and they have functionalities that play a vital role in day-to-day living for people. The smart recliner is a smart device and is considered a disruptor in the furniture industry with loaded functionalities and easy-to-use features for the consumer. The smart recliner by Smart Seats Ltd is designed to accommodate individual requirements and is a novel device with innovative features enabled by multiple technologies. The use of multiple technologies in the recliner makes it prone to potential attacks and cyber risks. Hence, there is a need to implement information assurance and mitigate cyber risks.
The devices used by the recliner are vulnerable to a variety of attacks and threats that compromise the aspects of information assurance (IA) (Sosin, 2018).
Compromise on IA can result in the loss of sensitive data of the user and the company (Khan et al., 2019). To overcome these risks adequate security mechanisms are required in recliner design. The report provides an analysis to understand cybersecurity gaps to provide suggestions and recommendations and highlight the need for security protection and management. The gap analysis will analyze all the internal functional departments and products developed along with considering risks in using third-party vendor components. The IA and cybersecurity risks for Smart Seats Ltd are basically understood for implementing standard IT frameworks to practice a comprehensive risk management program. The gap analysis highlights the issues faced and mitigation measures through a rigorous risk assessment exercise presented in the report. The importance of GDPR legislation and security compliance aspects are highlighted with suggestions for management consideration. The success of the recliner depends on consumer security and safety and hence the aspects of GDPR and security risk management aspects are important in its design.
Cyber risk management (RM) is the process of identifying, analyzing, assessing the organization’s cybersecurity threats (Antonucci, 2017). To manage cybersecurity threats, cyber risks are evaluated based on standard methods. Exploring the operations of Smart Seats Ltd, there are many business and technical risks from the perspective of the company. Some risks that must be addressed on priority include:
- Risk management from cyber threats, and compliance of all their products
- Data loss prevention implies protecting sensitive data and ensuring consumer privacy
- Protection design, development and innovation
- Risks with vendors, suppliers
- Risks in pricing cost constraints due to market demands
- Risks to strategic goals
The risks are addressed based on standard risk assessment methods to benefit the company and protect proprietary information. In addition, due to the components used in smart recliner risks are provided by external vendors. Further risk assessments are conducted frequently to identify and detect emerging risks from components supplied by third-party vendors. This is because vendors supplied components for smart recliners may or may not comply with the legislation of cybersecurity in smart products (DeSmit et al., 2017). Risks must be addressed at a strategic level fully to realize an anticipated return on investment (ROI) by Smart Seats Ltd.
Managing cyber risks is a priority to protect the company from known cyber threat incidents. Here, management support is required for an effective risk management program. The risk management program will include the activities of internal audit, monitoring of all assets and training of staff to ensure a state of preparedness and understand data breach incidents and privacy issues quickly. This is necessary for the company to develop internal capabilities and to realize the value in its investments. At the same time, it is impossible to secure everything, hence risk management must focus on risk-sensitive assets such as sensors, IoT devices, voice recognition systems, wi-fi, and others. Risk assessment in the company will measure the extent of damage or impact.
The following recommendations are provided for management consideration:
- Develop and implement operational procedures, policies and processes to fulfil legal and compliance obligations
- Ensure security of personal data through procedural and implement technical measures wherever necessary
- Ensure policies and procedures are followed to detect, report and investigate incidents on time
- Provide training to staff, also orientation to consumers
The report provides an analysis and discussion on cyber risks, information assurance and gap analysis for Smart Seats Ltd. Based on the analysis the report highlights recommendations to C-suite and management on safety features to be included in the design of smart recliner. The background section highlights the need for security gap analysis in the areas of IA and cyber risks for the recliner. Based on gap analysis of the requirements for standard IT governance and security program, COBIT 2019 is suggested for implementation. The aspects of GDPR legislation for smart recliners are highlighted.
Cybersecurity risks and threats are increasing. Smart Seats must invest in security solutions to reduce the risks and develop incident response plans to ensure their products and services are resilient against attacks and risks. The approach for the company must be resilient based security measures instead of preventive security measures. This is because people in unsecured home networks have a high probability of security breach through one of the components that can impact also the company.
The existing identified cyber risks and issues with the recliner are:
- Vulnerabilities that impact user privacy and confidentiality
- Issues related to information disclosure
- Managing security risks in IoT, voice recognition, sensors and wireless networks
Managing vulnerability in third-party vendor devices
New technologies such as the IoT provide numerous opportunities for developing smart devices. The furniture industry makes use of IoT and related technologies to design smart furniture. Some examples include Alexa, Fitbit, and Apple Watch. Trends indicate that smart furniture is growing and is estimated to grow at a compound annual growth rate of 21.8% by 2026 and reach USD794.8 million (Research and Markets, 2018). Therefore, manufacturers look to improve the smart recliner by integrating digital capabilities with physical components and power supply.
The digital capabilities in smart recliners pose limited security protections. In order to standardize consumer safety and smart devices, the UK government ordained a law for manufacturers to strictly adhere to a set of security measures (Laughlin, 2021). The legislation is known as “Secure by Design” which aims to tackle a range of smart products that have weak security and/or are prone to cyber risks (GOV.UK, 2019). Smart Seats Ltd. must comply with this law in their smart recliner manufacture that uses multiple connected devices.
Due to the Covid-19 pandemic impact, freedom of movement for people is limited. The company has decided to produce smart recliners with innovative features to integrate with multiple devices technologies. However, the recliner must adhere to EU/UK regulations, security standards and legislation following the BREXIT decision by the British Government. In addition to catering to customers in UK and EU, the company also has customers in other nations not bound by EU and UK (GDPR) regulations on information security/privacy. In this situation, recliner designs must ensure adequate data protection for the customer. The recliner design will include adequate control mechanisms and mitigation measures. In addition, the international standards for risk management processes mandated in COBIT 2019 are followed in developing control mechanisms for managing data security challenges by Smart Seats Ltd, thus ensuring the recliner complies with data security requirements worldwide. Appropriate control measures are recommended for the design of a smart recliner.
IA is the process of managing risks related to information usage, processing, storage and transmission. IA ensures information is protected, available, integrity is maintained, along with authentication, confidentiality and non-repudiation (ArturSosin, 2018).
The increase in cyber threats and risks to digital devices are on the increase and hence information assurance is required to balance potential threats and improve operational capability in the company (Joiner, Efatmaneshnik and Tutty, 2018). IA will provide the defence and protection of Smart Seats LTD. data in their IT systems, client data and third-party vendor information used and stored by them. IA is achieved by detection, protection and reaction capabilities in the smart recliner design. In order, to perform the activities of detection, protection and reaction, IA will leverage technologies and related processes namely security at multiple levels, access control, securing data in sensors, IoT and detecting intrusions. Therefore, IA will protect the information in the environment, detect data attacks, and develop the capability to restore the system and respond to attacks (Kahyaoglu and Caliyurt, 2018).
The IA paradigm will encompass the elements of information, information-based processes and information systems. Here, information refers to facts, or instructions in the wireless medium (Nicho, 2018). For example, in a smart recliner using voice controls the recliner movement can be controlled. Here, there is a need to protect the voice recognition system for its processes in the recliner system from attacks. Similarly, the recliner has voice control temperature regulations, voice-controlled relief features, and Amazon Alexa integration which also performs actions from voice commands. Hence there is a need to secure information in voice-based conventions and their representation that perform actions for each command.
The information-based processes include the methods that are used to gather, analyze or execute and share information using a wireless medium. The information-based processes will provide value to decision making by the consumer and perform designated functions to make use of service features available in the recliner. For example, playing music, temperature regulation using voice control and drop arm option are some examples of information-based processes. Lastly, information systems are those that include organizational infrastructure and IT systems, digital systems and components that are involved in the recliner to collect, process, transmit and store data. From these functionalities, it is important to secure and protect all these elements namely information, information processes and systems in the IA paradigm. Protection of IA is challenging because it requires an understanding of the nature of threats, strategy for containing and managing digital attacks.