We live in an era of digital transformation where more and more devices are connecting to bring new and innovative levels of service and efficiency. This transformation spans across all markets and the rate of progress is breath-taking, says David Maidment, director, secure device ecosystem at Arm.
This change brings huge benefits, but it also brings threats in the shape of an expanding cybercrime footprint. Every connected device is a hack potential. Rather than attacking traditional IT equipment, the cybercrime threats start to move to all aspects of our lives.
$6 trillion (€5.37 trillion) cybercrime
It is predicted that by 2021 there will already be US$6 trillion (€5.37 trillion) of cybercrime damage (Source: Cybersecurity Ventures Official Annual Cybercrime Report), which is a staggering number pinned against financial loss for businesses, without considering the damage to reputation and other harder-to-measure statistics.
When you pair this with an estimated average of 5,400 attacks on Internet of Things (IoT) devices every month (Symantec Internet Security Threat Report 2019) it’s clear to see why security standards have been rapidly evolving in the last 12 months. The cost of inaction is huge and ignoring security requirements isn’t an option. Governments, businesses and consumers across the world are starting to pay attention to this and look to the electronics industry for solutions.
As 5G connectivity expands, and we move towards a world of a trillion connected devices, government and industrial bodies are looking to implement preventative measures to protect against security vulnerabilities. It is now fundamental that every device is being designed securely from the outset and business processes have security in mind. Whether you have already embraced IoT, you’re exploring implementing it into your business, or you’re building the devices that will power this movement, there are crucial steps you should be taking to build assurance with customers, while also protecting your finances and brand.
Security laws and standards
A number of governments have taken action to protect businesses and consumers, with laws and standards in place such as ETSI 303 645 (Cyber Security for Consumer Internet of Things), California State Law (SB-327) and NISTIR 8259 (Core Cybersecurity Feature Baseline for Securable IoT Devices). All of these provide guidance on how devices should be protected, from good password practice, all the way down to cryptography, audit logging and other security protocols.
This means that industries that have historically been unregulated are moving towards more self-regulation, which in turn is slowly becoming law. If you’re naive to these standards and are creating, or deploying, insecure devices into your business, you could find that the devices are pulled from operation hindering the way your business is running, but also cutting the revenue streams you depend on.
How can you protect your business?
With all this in mind, how can you successfully navigate the regulations that may impose rules for your business in the future? First and foremost, you should follow advice from a trusted source. All the regulations coming to market use different wording, have slightly different requirements and guidance. You’ll need an approach that is scalable and understandable, especially if you’re a worldwide business that works in multiple markets.
This is where many experts agree that a common framework of security best practice is really important, offering technical support to companies, but also a common language that everyone can understand and execute against. Independent schemes are already available and seeing fast adoption, such as PSA Certified which is being recommended by government guidelines, including the National Institute of Standards and Technology in the US.
It offers a framework to secure devices and an assurance scheme to check it’s being implemented correctly. A key element of what is offered is a mapping across key standards in various geographical locations. This gives you a checklist to implement security against if you’re creating devices, or to be looking out for when you’re procuring devices for your company.
Adopt a security framework
Whatever your approach, it’s critical that a framework for security best practice is adopted in your business and that security is never forgotten. Security isn’t a ‘one-and-done’ endeavour and companies must stay vigilant as the threat landscape continues to change. It’s positive to see security standards and regulations already in place, but for the IoT to really take off, we need to combat the lack of security validation of IoT devices and ensure trust is built in at the heart.
The author is David Maidment, director, secure device ecosystem at Arm.