The number of connected devices and the Internet of Things (IoT) is rapidly expanding, as is our dependence on them. The emergence of mobile and IoT devices has revolutionised the way the world operates and continues to help businesses thrive in every facet of their daily operations. Yet, these new technologies pose major security risks to users and organisations, having not been built with security in mind. This has presented enterprises with a myriad of security challenges. For example, an IoT device such as a smart phone may be sending data to a cloud service, without the user’s knowledge. This lack of visibility into the device’s activity can make it difficult to identify and prevent malicious threats from bypassing the network.
Inevitably, mobile has become the fastest-growing attack surface. According to Verizon’s 2022 Mobile Security Index 45% of organisations had recently experienced a mobile-related compromise while 74% had experienced a “major” mobile-related compromise. Yet this isn’t surprising considering that Gartner found that 75% of all mobile apps and devices are unprotected. The unfortunate reality of the matter is that any device that is connected to the Internet can be weaponised in some shape or form. Therefore, it is critical for enterprises to manage the existing vulnerabilities within their connected applications and devices. But where to start?
Cybersecurity and cyber resilience: what’s the difference?
In preparation for imminent threats, enterprises need to understand the fundamental differences between cybersecurity and cyber resiliency. While both terms may appear similar in theory, as they both relate to cyber safety and share the goal of safeguarding against cyberattacks, there is a distinct difference between the two. While cybersecurity can be defined as a collection of technologies and actions undertaken with the aim of mitigating security risks, cyber resilience can be understood as an organisation’s ability to minimise and recover from a cyber incident. This typically involves enforcing the appropriate measures to mitigate any damage as quickly as possible. The underlying difference between the two terms stems from the perspective that cybersecurity can be inadequate. This is mainly because no matter how much time, effort and resources are invested into cybersecurity, there may always be a vulnerability left unchecked, which could lead to a potential attack. Whereas, building cyber resilience enables organisations to overcome any obstacles that may arise if a cyberattack were to bypass their existing controls.
The importance of the European Cyber Resilience Act (CRA)
In efforts to strengthen Europe’s ability to stay secure and improve its defences against cyber threats, since the 1990s the European Commission has passed multiple regulations for businesses in the EU to adhere to. Some of the most significant regulations include the General Data Protection Regulation (GDPR), the EU Cybersecurity Act and the Network and Information Security (NIS) Directive 2. In further efforts to shape Europe’s digital future, in 2022 the European Commission introduced its proposed Cyber Resilience Act (CRA), the world’s first IoT legislation to exist in legislation history. The new Act aims to establish an EU-wide cybersecurity framework to strengthen existing cybersecurity rules to protect digital products that are not covered by any previous regulation. This will apply to organisations that manufacture, develop and distribute both hardware and software products that have connected digital elements. The other objectives of the CRA are directed at enhancing the level of cybersecurity throughout the full product cycle, clearing regulatory surveillance and enforcement as well as enabling businesses and consumers to use products with digital elements securely. This is a major step towards creating safer and securer digital products in Europe which will positively impact the future of technology development.
CRA and the future of technology development
The proposed legislation will call on developers and manufacturers of connected products to revise their existing practises, to ensure the full safety and security of their products. The Development Security Operations (DevSecOps) methodology, where security testing is integrated at every stage of the software development process offers a good start. As in the long run, security teams along with architects and engineers within the manufacturing industries will be required to collaborate to address the CRA’s influence on the entire product lifecycle. Additionally, there are concerns over where the CRA will threaten open source code software. Moreover, the enforcement of new regulations such as the CRA could add increased pressure to manufacturers of connected devices to invest in cyber security insurance for their products. In the future, it is likely that EU organisations will need to provide evidence that they are CRA compliant to cyber insurers to be approved for a claim.
The progressive policy landscape
The initial draft text of the CRA is still progressing through the legislative process, and once negotiated among the EU Member States, should eventually pass. Despite ENISA’s EU-wide oversight of the CRA, every individual member state will be required to elect a market surveillance authority for enforcement. In turn, these authorities will have the means to request the withdrawal or recall of a product that is identified as non-compliant from the market. Similar to the GDPR regulations, levy fines will also be introduced with estimated amounts of up to the greater of €15 million or a 2.5% of total worldwide annual turnover. Additionally, the US deferral government are also joining the movement and shifting their stance on cybersecurity with Biden Administration’s March 2023 National Cybersecurity Strategy as well as the US Cybersecurity and Infrastructure Security Agency’s (CISA) call to hold software manufacturers legally liable for the insecurity of their products. Evidently, governments are beginning to take a strong standpoint on new cybersecurity policies that will contribute towards a major shift in the way organisations operate across the globe.
How organisations can prepare for CRA
In preparation for the finalisation of the CRA, organisations can conduct an audit and assessment of their existing application inventory and add-in app protection to all active applications. Further to this, integrating application security into continuous CI/CD development process will to help tackle the blind spots in specific products and the entire networked environment. Ultimately, organisations could benefit from investing in a solution that can protect apps while simultaneously defending the enterprise against the multitude of unmanaged devices powered by those apps. Ideally, enterprises could seek the investment of a solution that uses Extended Threat Defence (XTD) and DevSecOps toolkits to expand their defence to the new endpoint, to defend against endpoint attacks through preventing apps from being weaponised.
Dr Klaus Schenk is Head of Product Security Verimatrix’s, and is responsible for the security aspects and features of a product portfolio ranging from video security, cryptography and cybersecurity. His journey with video content protection started over 20 years ago at BetaResearch and later Comvenient.