Cybersecurity: Who is bearing the greatest burden and how is regulation helping

Security and privacy are still the weak points of the story when talking about IoT and emerging technologies. Hackers never let up, that’s for sure. The rise of AI-powered attacks, phishing attacks with a twist and blockchain vulnerabilities are growing concerns for the industry. A revised version of the NIS Directive, a key piece of legislation in the European Union (EU) that addresses cybersecurity for critical infrastructure, aims at coming to the rescue in October 2024. What impact will this have on the IoT landscape?

It’s not about posturing or showing off the latest single dashboard tracking all systems with one click. Cybersecurity has turned into a multi-pronged digital race played out in public and private sectors alike to lay the foundation of trust and credibility amongst customers and investors.

With an increase of 221% compared to 2022, cybercrime is growing at a staggering rate as cyberattacks seem cheaper and easier than ever. Malware stands out as the fastest-growing threat of 2024, with 41% of enterprises witnessing this type of attacks, closely followed by phishing powered by social engineering and deepfakes, and ransomware.

Cloud assets for keeping track of company’s equipment, including Software as a Service (SaaS) applications, cloud-based storage, and cloud infrastructure management, remain the primary targets for such attacks. As if it were not enough, the rise of AI-powered attacks to automate tasks and evade detection combined with an ever-growing number of connected devices (IoT) expanding the attack surface, make matters more difficult. In this scenario, who should take the blame for failed cybersecurity is a perverse question.

The blame circle

“At the risk of over-simplifying, the threat actors only have to be right once, where defenders have to be right all the time,” says Kirsten Davies, Chief Information Security Officer (CISO) at Unilever, who will be speaking at the IOT Solutions World Congress 2024, to be held 21-23 May in Barcelona.

“This is an asymmetrical race, and the corporate protectors are further charged with enabling and empowering the growth of the businesses and missions they support,” she puts.

Davies firmly believes that the ever-shifting threatscape makes more necessary than ever to manage risk across applications and SaaS. This requires strong partnership with application owners to ensure software is designed, built, and implemented in this light.

In this sense, she considers that good practices such as software asset management, code scanning and reviews, SBOM (Software Bill of Materials – the list of ingredients that make up software components) awareness and hygiene, as well as zero-day vigilance are always in order. “We can’t see into the future to predict the next big vulnerability, but what we can do is work together to speedily and holistically address risk across our application estates,” highlights the CISO at Unilever.

Regulation compliance

Accurate risk management is all the more necessary as any given business is required to comply with a host of laws and regulations directly related to cybersecurity.

Regulatory bodies such as HIPAA, aimed at safeguarding sensitive patient data; SOC, which ensures the security of client data handled by third-party service providers; PCI DSS, protecting cardholders data during transactions; or the European General Data Protection Regulation (GDPR), which ensures the privacy of individuals’ data ⎼and this is especially relevant for IoT devices that collect and transmit personal information⎼ play a substantial role in maintaining the integrity and trustworthiness of digital platforms.

As of October 2024, the Europe’s mandatory cybersecurity directive, NIS 2, will add to this panoply of regulations to build a more secure digital world. The new directive, which is stricter than the previous one (from 2016), sets the baseline for cybersecurity risk management measures and reporting obligations across sectors such as energy, transport, health, and digital infrastructure. The general idea is to reflect that we have become more dependent on IT as a society.

A crucial point is that it addresses supply chain security, so it will ensure the security of ICT products and services throughout the supply chain. And this includes IoT devices. No need to say that a non-compliance will lead to hefty fines.

“I believe the NIS2 directive aims at achieving compliance from an operational standpoint,” observes Tomàs Roy, Director of the Cybersecurity Agency of Catalonia. “While vulnerabilities and threats are inevitable, the key lies in how we respond to them, what are the protocols we establish for crisis responses. Everybody needs to take responsibility and play their part to generate a safer digital environment,” he adds, while stressing that “it will be interesting to see how the directive is implemented in Spain.”

Beyond that, the question on some observers’ minds is just how effective NIS2 can be as sometimes the compliance intended to make things better and safer makes it too hard to get anything done. In fact, some advocate the need for a separate horizontal legislation for connected products. But that is another story.

Overall, there is no single answer to who bears the greatest burden when cybersecurity fails. It’s a shared responsibility between several parties. In this sense, education about security best practices is key as it empowers to make informed decisions. Kirsten Davies is convinced of that.

“We spend significant time on delivering effective Cyber Awareness campaigns, as they are key to galvanizing all employees as part of our first line of defense,” she concludes.

Article by: Anna Solana.

Pedro Mier

Pedro Mier holds a degree in Telecommunications Engineer ing from the Polytechnic University of Catalonia, MBA from ESADE and PADE from IESE. He is currently President of AMETIC (Association of Electronics, Information Technology and Telecommunications Companies of Spain), Shareholder and Chairman of the Board of Directors of TRYO Aerospace & Electronics, Board Member of the Premo Group and Committee of CTTC. member of Space Angels Network and Member of the Sc ientific Advisory