6 minutes to read With insights from... Derek Yu Principal Consultant derek.yu@zuehlke.com What security mindset changes must happen for your next IoT success? Businesses should perceive cybersecurity as an ongoing process beyond traditional product development. Early investment in cybersecurity pays off in the long run. Increasing cyber incidents implies a great market potential for your cybersecurity investments. In the dominant trend of industrial digitalisation, IoT is playing a vital role in expanding markets, enabling new business models, and solidifying a company’s innovative image. However, as we increasingly hook up software with our infrastructures, more businesses are becoming attractive targets for cyberattacks, which now incur real-world damage at the convenience of increased connectivity. In the field of healthcare, a 2019 survey conducted by Irdeto finds that an astonishing 82% of surveyed healthcare industry leaders have experienced cyberattacks in the past year. As major cyber incidents like the SolarWind hack and cyberattacks on COVID-19 vaccine transportation are stealing headlines in 2020, governments and businesses are learning the importance of cybersecurity the hard way. In this article, we will discuss an urgent security problem many industries face and propose three important mindset changes that must happen for developing your next IoT solution. Cybersecurity is too costly to ignore A major challenge that limits businesses’ efforts in securing their products and services is the same issue as that of many other efforts: cost. As we reap IoT’s benefits of reducing expensive, inefficient, and often hazardous labour overhead, the same drive for efficiency also constrains the development of IoT products, which is often positioned as a low-cost and low-maintenance solution. Between the drive for low-cost yet feature-rich products, cybersecurity often takes a backseat since it is hard to perceive an immediate and explicit customer value. However, cyber incidents have become extremely costly across all industries. According to research published by IBM, an average data breach costs 3.9 million USD for a business in 2020. Critical industries suffer even higher losses, with the healthcare industry leading the pack with an average cost of 7.1 million USD and the energy sector being a close second at 6.39 million USD. Given the widely accepted perception that attacks “are only a matter of time,” the disturbing question we must ask ourselves is whether businesses that do not prepare themselves are ready to pay for such a cost when the day comes. Despite daunting statistics, we believe that cybersecurity efforts should not thrive on fear, uncertainty, and doubt. Instead, similar to the digitalisation journey itself, businesses should address the problem of cost with three fresh mindsets for a more long-term security posture. Mindset 1: Investing in cybersecurity early is much cheaper in the long run Cybersecurity is expensive and difficult if we treat it as an afterthought. Without thinking of cybersecurity early enough, teams inevitably develop products with flawed or non-existent security considerations. When security issues are identified at a later stage, we often lack resources to resolve these issues properly, which are often bogged down in technical debt. These limitations result in a compromise on ad hoc patchwork, which offers limited protection to critical functions, does not address all of the security issues, or is infeasible to roll out to a large-scale IoT deployment. Businesses can drastically lower the cost of their cybersecurity efforts if they invest early. By adopting a shift-left security attitude, development teams can thoroughly analyse potential threats and incorporate established security solutions in the early stages of requirements engineering. The same mindset also extends to automating security processes to optimise secure software development and operations monitoring. According to the same data breach report cited above, companies can save up to 3.58 million USD (which is over 90% of the average cost) if they fully automate their security processes. Mindset 2: Treat security issues with a supportive culture Security incidents, regardless of severity, are often perceived as humiliation, so developers often face increased scrutiny when their code leads to security vulnerabilities. It is important to recognize that no system can be perfectly secure and that mistakes happen. In the face of a security vulnerability, the community needs to set aside finger pointing and focus on resolving the situation as a team effort. Additionally, security findings are also often downplayed or underestimated when society in fact demands more corporate transparency and initiative. According to research by Ponemon in 2019, 60% of data breach victims were compromised due to known but unpatched vulnerabilities. No matter the reason, it is evident that businesses should perceive cybersecurity as an ongoing process that extends beyond the original scope of traditional product development. As a best practice, we should support ongoing security monitoring and patching efforts with dedicated resources or budget. Mindset 3: You have your customers’ support Although we are in the cost-sensitive world of IoT and digitalisation, the two previous mindset transitions require even more upfront investment and effort. But businesses, now more than ever, have their customers’ support when it comes to cybersecurity investment and transparency of handling customer data. Based on Cisco’s study in 2020, almost one-third of surveyed consumers refrained from conducting business with organizations due to data privacy concerns. In critical fields like healthcare and finance, we expect higher standards from business customers and end users to justify cybersecurity investments. At the end of the day, when making purchasing decisions, customers are looking for peace of mind. Be it in the form of data protection features, security compliances, or Cyber insurances, there is a great market potential for businesses that are willing to prioritize security investments. Things to immediately act on We identify the following practical steps when kickstarting your next IoT project in good security shape: Perform thorough security analyses with mandated actions as early as possible. Make security easy for developers, e.g., by incorporating automated security testing and verification. Set up logging and monitoring mechanisms of system operations at the beginning. The key here is not to make improving or monitoring security a painful task for tomorrow and set things up before the first shipped product feature. Let’s get in touch As industries digitalise to bring further customer value, we continue to witness more cyberattacks, which now disrupt more critical functions of society. The cost of damages and the increasing market demand continue to tip the scale towards the need for serious cybersecurity readiness. With the right mindset shifts, industries will position themselves in a much better way for a sustainable and accountable business. What are your experiences in securing your digital businesses and assets? At Zühlke, we have expansive expertise and experience in addressing cybersecurity needs for many industries. Contact us and we will help make cybersecurity a selling point for your next big thing. In the connected and digital world, the key to protecting companies from data misuse and security risks is cybersecurity . But what does a reliable security strategy look like? Frequently asked questions about cybersecurity can be found on our FAQ pages. Learn more about how you can secure your digital future Derek Yu Principal Consultant Derek (Der-Yeuan) Yu is a Principal Consultant at Zühlke in Zürich, Switzerland. He holds a doctor's degree in Computer Science from ETH Zurich and has research experience in many cybersecurity topics, such as system security and network security. He also has industry experience in developing secure IoT solutions. Derek's day-to-day work and interests include reviewing security designs, developing security development best practices, industry IoT, and DevSecOps. Contact derek.yu@zuehlke.com +41432166010 Your message to us You must have JavaScript enabled to use this form. First Name Surname Email Phone Message Send message Leave this field blank Your message to us Thank you for your message.