Improved consumer protection is one of the core objectives of the first BSI report specifically focused on consumers for digital security and data protection. One way to achieve this could be via an IT security label to support end users in their purchasing decisions for digital products such as smart home systems or digital assistants.[1] Cybersecurity in healthcare was selected as a particularly topical application area. A detailed look at various healthcare applications was already published in May.[2]

The “digital consumer”

The daily use of apps on smartphones or tablets and the now all-pervasive data processing in all kinds of systems and gadgets pose new dangers and challenges. From smart home systems to fitness wristbands, Alexa or Siri to cars, more and more systems are equipped with IoT functions. Two essential components here are data protection and IT security. Every user becomes a source of data that usually does not seem transparent and controllable for the individual.

More security incidents on the Internet of Things

During the 2020 review period, security incidents related to apps and IoT applications were increasingly reported. The largest collections of potential vulnerabilities have become known under Ripple20 and Amnesia33. The BSI report assumes that although awareness is increasing, the increased integration of IT functions and data processing via cloud/internet will lead to a sharp rise in security incidents.

 “Security by Design “

Suppose the BSI has the decision, as many products as possible should have an IT security label in the future. The security features of IT devices should be recognizable to users. Manufacturers must take security aspects into account as early as the product development stage and integrate them fixedly. The safe operation must be made possible over the service life of the device.[3]

Currently, the situation is mostly humble: Once delivered, updates are often not provided for “smart” devices, or the process is too burdensome and too complex for standard users. An IT security label seems a sensible way to enable users to make an informed choice. Of course, quality and implementation are essential here so that users are not lulled into a false sense of security in the worst case. The BSI argues, “Digitization can only succeed if information security is thought through from the start.” Ideally, this applies to manufacturers and curricula to introduce future users to the conscious and secure use of networked devices.

Sources:

[1] https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/DVS-Berichte/dvs-bericht_2020.pdf?__blob=publicationFile&v=6/

[2] https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/DVS-Berichte/gesundheitsapps.pdf?__blob=publicationFile&v=2/

[3] https://www.computerweekly.com/de/ratgeber/IT-SIG-20-Was-bringt-eine-Sicherheitskennzeichnung/