Case study: How Ericsson promotes information security and privacy
Ericsson is a leading global provider of Information and Communication Technology (ICT) to service providers, with approximately 40% of the world’s mobile traffic carried through its networks. Accordingly, information security and the protection of personal data, focusing primarily on maintaining the confidentiality, integrity and availability of information while not hindering operations, is a top priority for Ericsson Tweet This!.
This case study is based on the 2018 Sustainability and Corporate Responsibility Report by Ericsson published on the Global Reporting Initiative Sustainability Disclosure Database that can be found at this link. Through all case studies we aim to demonstrate what CSR/ ESG/ sustainability reporting done responsibly means. Essentially, it means: a) identifying a company’s most important impacts on the environment, economy and society, and b) measuring, managing and changing.
Abstract
As both the value of information and the capabilities of threat actors increase, information security and privacy have become issues of national importance globally and a key consideration for operations in Information and Communication Technology (ICT). In order to promote information security and privacy Ericsson took action to:
- implement policies and directives
- address privacy risks
Subscribe for free and read the rest of this case study
Please subscribe to the SustainCase Newsletter to keep up to date with the latest sustainability news and gain access to over 2000 case studies. These case studies demonstrate how companies are dealing responsibly with their most important impacts, building trust with their stakeholders (Identify > Measure > Manage > Change).
With this case study you will see:
- Which are the most important impacts (material issues) Ericsson has identified;
- How Ericsson proceeded with stakeholder engagement, and
- What actions were taken by Ericsson to promote information security and privacy
Already Subscribed? Type your email below and click submit
What are the material issues the company has identified?
In its 2018 Sustainability and Corporate Responsibility Report Ericsson identified a range of material issues, such as anti-corruption, product energy performance, occupational health and safety, diversity and inclusion. Among these, promoting information security and privacy stands out as a key material issue for Ericsson.
Stakeholder engagement in accordance with the GRI Standards
The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:
Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.
Key stakeholder groups Ericsson engages with:
Stakeholder Group |
Customers |
Shareholders |
Employees |
Suppliers |
Governments |
Civil society |
Non-governmental organisations (NGOs) |
Industry partners |
Media |
Academia |
General public |
How stakeholder engagement was made to identify material issues
To identify and prioritise material topics Ericsson carried out surveys and dialogue with employees, customers, investors, and other stakeholders.
What actions were taken by Ericsson to promote information security and privacy?
In its 2018 Sustainability and Corporate Responsibility Report Ericsson reports that it took the following actions for promoting information security and privacy:
- Implementing policies and directives
- Ericsson’s Audit and Compliance Committee of the Board of Directors receives updates on cybersecurity at least twice a year, and includes security as part of its annual training. Information security and privacy incidents are reported through Ericsson’s Security Incident Management System (SIMS), and routed to the appropriate function for case handling. Ericsson has an established Security and Privacy Framework, to make sure issues are considered throughout the entire product lifecycle, and a set of Policies and Directives to establish the requirements for information security and privacy across the company. Ericsson’s Product Security framework includes a mandatory area of regulation specifically for security and privacy, applicable to all products. Ericsson also enforces a Crisis Management Directive, and has a Group Crisis Management Council, responsible for the handling of major incidents or crises that affect Ericsson.
- Addressing privacy risks
- The nature of Ericsson’s business, and of the data that its products transmit, requires the company to be at the forefront of data protection and information security. Ericsson has adopted a risk based approach for investment in cybersecurity and privacy. The potential impact on Ericsson’s brand, in terms of customer trust and market access, is weighed against the cost of implementing tools, processes and technology to make sure that Ericsson can protect its customers and data. Safe and secure telecommunications networks and services provide the foundation for Critical National Infrastructure such as national security and emergency coordination, healthcare, education and finance services. More secure networks require less downtime and unplanned maintenance, which increases trust in the infrastructure. Ericsson’s information security and privacy frameworks are designed to make sure its products and services are more resilient to attacks, and less likely to be impacted by unforeseen consequences. In 2018, Ericsson also launched a certification programme, Ericsson Certified Security Associate, and two training courses for all employees, Data Privacy 2.0 and Be Security Aware, which were completed by more than 83,640 and 82,060 employees, respectively. Ericsson’s Information Security Management System is certified to ISO/IEC 27001.
Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?
The GRI Standard addressed in this case is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data
Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:
- Sustainable Development Goal (SDG) 16: Promote peaceful and inclusive societies for sustainable development, provide access to justice for all and build effective, accountable and inclusive institutions at all levels
- Business theme: Compliance with laws and regulations, Protection of privacy
78% of the world’s 250 largest companies report in accordance with the GRI Standards
SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.
Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.
7 GRI sustainability disclosures get you started
Any size business can start taking sustainability action
GRI, IEMA, CPD Certified Sustainability courses (2-5 days): Live Online or Classroom (venue: London School of Economics)
- Exclusive FBRH template to begin reporting from day one
- Identify your most important impacts on the Environment, Economy and People
- Formulate in group exercises your plan for action. Begin taking solid, focused, all-round sustainability action ASAP.
- Benchmarking methodology to set you on a path of continuous improvement
References:
1) This case study is based on published information by Ericsson, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:
http://database.globalreporting.org/
2) https://www.globalreporting.org/standards/gri-standards-download-center/
Note to Ericsson: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.