There's not much Finland can do about its climate.
"The climate of Finland is characterized by long, cold winters and short, mild, and moderately rainy summers." Wow, sounds great.
However, leaders at its National Cyber Security Centre (NCSC-FI) are trying to change the cybersecurity climate within the Scandinavian country. And they now have the seal of approval to do it.
New cybersecurity seal of approval for IoT devices
Finnish Transport and Communications Agency, Traficom, just announced its new cybersecurity label.
"The label guarantees to consumers that the labeled devices have basic information security features. The Cybersecurity label can be awarded to networking smart devices if the devices meet the certification criteria...."
The agency says this is a decision based on public interest as Internet of Things (IoT) "smart devices" have become more prevalent and data hungry.
"As smart homes are becoming increasingly common, more and more devices are connected to the internet and the data transmitted by these devices is used for various services.
Because these devices also collect data on their users, their information security features play an increasingly important role. When smart TVs, smartphones, toys and other connected devices in the home network are secure, users can avoid the risk of data abuse, hacking or data leaks."
New cybersecurity seal of approval: helps with consumer questions
This new process in Finland is aimed at a problem we've heard plenty about at our SecureWorld cybersecurity conferences: how are consumers or even organizations supposed to know which IoT devices are attempting to do security well?
"The security level of devices in the market varies, and until now there has been no easy way for consumers to know which products are safe and which are not. The Cybersecurity label launched today is a tool that makes purchase decisions easier by helping consumers identify devices that are sufficiently secure," says Director Jarkko Saarimäki from the NCSC-FI at Traficom.
Finland is the first EU country to offer something like this, and is rolling out a marketing campaign with the slogan, "buy smart, not blind."
And we're pretty sure Ravi Thatavarthy would call this a step in the right direction.
He's the former CISO for iRobot, which has sold more than 20 million robotic devices, making it the leading global consumer robot company. He told the audience at SecureWorld Atlanta:
"We are living in a world of connected products. My belief is that security combined with privacy will become a brand differentiator."
This new cybersecurity badge finally gives manufacturers a way to differentiate themselves when it comes to privacy and security.
Finland cybersecurity certification label: what does it mean?
For our readers, there is a main question worth answering: what does this label mean, and what must you accomplish to earn it? Here's a look at how these products are evaluated:
- Manufacturers must share key security features of the product or service and its associated ecosystem.
- IoT makers must provide information on safe use and the duration of the security support provided.
- The device's access control must be discussed: passwords, certificates, or third-party authentication methods.
- Software security: what does the device have and how will it be kept up to date?
- Privacy policy: the device maker must reveal the purposes of data collection and whom is collecting the data.
- How is the smart device handling data transfer and storage: authentication, encryption, and key management practices?
- Security of web interfaces: IoT devices must minimize unnecessary online services and comply with the minimum rights principles. (Essentially, least privilege. If something does not need access to the device, it should not have that access.)
- Safe default settings: these settings must be designed to protect the user by default. This is the opposite of what is happening now, in most cases.
Products with the cybersecurity approval right now
The initiative is starting small. Right now, there is one wireless networking hub, one smart watch, and one smart thermostat app already approved by Finnish officials.
It is a small start with big dreams for changing the cybersecurity climate of Finland and perhaps impacting change around the world.
"We are hoping that consumers will learn to recognise the label and actively look for it when selecting products and services. At the same time, we will contribute to the increased availability of secure devices in the market. We hope that as many manufacturers as possible want to certify their products. Our goal is that in a few years most home electronics categories will include products with the Cybersecurity label," Saarimäki says.
The Finland cybersecurity approval website is https://tietoturvamerkki.fi/.
[RELATED: Top IoT Concerns for Information Security and Privacy Professionals]
