Radio Frequency ID tags are wonderful! Hi-tech embedded in a thin plastic band. Cheap, flexible, powerful and useful for a wide-range of applications; but since its popularisation there is some controversy about the security and privacy issues. Civil rights groups and privacy-concerned public are claming against the use of this devices and demanding government regulations. The are right, but just partially. Some cases could be pretty sound like pharmaceutics –really I don’t want that someone knows that I’ve got Viagra in my briefcase!- , but if the company uses RFID to manage inventory, supply-chain or maintenance processes. It is affecting anybody’s privacy?
The privacy problems are mainly two, one technical and the other psychological:
They must be low-cost devices and therefore they can implement only a limited set of algorithms for encryption and authentication mechanisms. News like this one (Yes is the S from RSA!) show the reality of RFID security. Now it’s just an isolate experiment, but recent events in the security market .(A good example is the WEP encryption standard for WiFi networks, in only months the Wire-equivalent-Protection become synonymous of insecurity)
The fear to progress forces and technology changes. Politics and lobbing agents also matters, but, of course, they need some gas in form of public support. Here, unfortunately is messier to deal with.
In addition, some other managerial questions are also relevant. If some critical processes are relying on information gathered by RFID infrastructures, there some question we should answer (a first approach):
- There is some concern and aware of RFID Risks?
- Is your organization managing policies and procedures related to RFID and complying current regulation?
- Are controls in place to assure that RFID tags are properly issued and scraped?
- Are controls in place to assure that RFID infrastructure systems are tracking all items with reliability?
- Are the RFID tags properly deactivate to safeguard clients or suppliers privacy?
- Who is accountable of all this stuff?
Let me show a simple example: A regular task for financial auditors is to estimate inventory accounts based on physical inventories using samples. What if your systems provide a quasi-physical inventory based on RFID warehouse facility?. Should the auditor relay totally on this data? Should the auditor work if the were no RFID system?. I let the answer to the reader
Pending task: How about a good IT Audit program for RFID enviroments?
Strategy Tip: Don’t forget, new emerging technologies come together with “emerging” risks.