This October marks Cybersecurity Awareness Month, an annual event first established by the US and Congress in 2004, and spearheaded by the Cybersecurity and Infrastructure Security Agency (CISA), designed to spread education about online safety and promote best cybersecurity practices for individuals and businesses.
This year makes it the 21st Cybersecurity Awareness Month, and focused on the integral theme, ‘Securing Our World’, as increasingly connected devices and networks present a growing challenge.
Providing tips for staying safe online, the CISA shared that using strong passwords; turning on multi factor authentication; recognising and reporting phishing and regularly updating software are four simple steps towards better cybersecurity.
“CISA is excited to again partner with the National Cybersecurity Alliance and lead the federal government’s efforts to reduce online risk during this 21st Cybersecurity Awareness month and every month,” said Jen Easterly, Director at CISA. “Our focus is working with government and industry to raise cybersecurity awareness and help everyone, from individuals to businesses to all levels of government, stay safe online in our ever-connected world. Protecting ourselves online is about taking a few simple, everyday steps to keep our digital lives safe.”
Cybersecurity in IoT
This messaging is particularly poignant for the IoT industry, which depends on connectivity and interoperability between devices to operate, as industries from agriculture to transport and logistics are increasingly becoming digitised.
The risks of having more and more devices connected – especially in the smart home sector, where smart home devices can, in theory, be exploited to gain access to people’s sensitive data – is being recognised in cybersecurity legislation that has either passed or is due to come into force.
The passing of the PSTI Act on the 29th April this year, for example, represented a landmark moment in regulation for actively legislating against poorly secured devices including weak passwords as well as device manufacturers providing clarity about security issues or bugs and how long end users will receive security support for.
More recently, the NIS2 Directive officially came into force – the European Union’s Directive which dictates companies providing digital services from Cloud computing to social networking platforms are subject to the requirements it outlines, including incident reporting.
There’s also the Cyber Resilience Act, which is causing a lot of discussion, as it has yet to come into force but represents the EU legislating cybersecurity for any product with a digital element – significantly widening the scope of what applies.
Over in the US, it has a Cyber Trust Mark – a voluntary labelling scheme – as part of its answer to greater cybersecurity measures.
The variety of the legislation and the markets to which they apply means companies manufacturing IoT products have a big job on their hands of not only understanding compliance requirements, but navigating regulation if they want to sell into the UK and the EU, for example.
Advice for understanding legislation
In a panel session held at the IoT Security Foundation Conference in London on the 23rd October which IoT Insider attended, panellists discussed their advice for businesses navigating the myriad of regulations.
“One thing we advise is to look internally at what frameworks do exist, like the IoTSF framework, and put your products through that,” said Matt Tett, Subject Matter Expert, IoT Security Mark P/L. “Most organisations that we work with in manufacturing and vendors, have compliance teams … they understand how regulations and standards work, and then see which markets they’ll be exporting their products to or importing their products from.
“That’s the number one thing we say before you even look at whether you can self-declare or whether you need to go through an assessment.”
He warned against becoming the “guinea pig” or “test” for regulatory bodies, i.e. ensuring compliance and preparedness to avoid being made an example of.
“The most important [piece of] advice [is] if you haven’t started already, start now,” stressed Florian Lukavsky, CTO of ONEKEY. “Start as soon as you can, pick your favourite scheme that’s out there already and start adopting it.”
The key takeaways for complying to cybersecurity legislation, then, is to be prepared, to understand existing frameworks and to adopt early, to avoid being taken by surprise as and when regulation is introduced. The growth in awareness, appreciation of the impacts caused by cyber crime and interconnectedness of device has necessitated the need to be safe and secure.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.