Zühlke – Empowering Ideas

Group discussion
Insights

Three mindset shifts for Cyber Security in industrial IoT

Derek Yu

In the dominant trend of industrial digitalisation, IoT is playing a vital role in expanding markets, enabling new business models, and solidifying a company’s innovative image.

However, as we increasingly hook up software with our infrastructures, more businesses are becoming attractive targets for cyberattacks, which now incur real-world damage at the convenience of increased connectivity.

Insight in brief

  • What security mindset changes must happen for your next IoT success?
  • Businesses should perceive Cyber Security as an ongoing process beyond traditional product development.
  • Early investment in cybersecurity pays off in the long run.
  • Increasing cyber incidents implies a great market potential for your cybersecurity investments.
     

In the field of healthcare, a 2019 survey conducted by Irdeto finds that an astonishing 82% of surveyed healthcare industry leaders have experienced cyberattacks in the past year.

As major cyber incidents like the SolarWind hack and cyberattacks on COVID-19 vaccine transportation are stealing headlines in 2020, governments and businesses are learning the importance of cybersecurity the hard way. In this article, we will discuss an urgent security problem many industries face and propose three important mindset changes that must happen for developing your next IoT solution.

Cyber Security is too costly to ignore

A major challenge that limits businesses’ efforts in securing their products and services is the same issue as that of many other efforts: cost. As we reap IoT’s benefits of reducing expensive, inefficient, and often hazardous labour overhead, the same drive for efficiency also constrains the development of IoT products, which is often positioned as a low-cost and low-maintenance solution. Between the drive for low-cost yet feature-rich products, cybersecurity often takes a backseat since it is hard to perceive an immediate and explicit customer value.

However, cyber incidents have become extremely costly across all industries. According to research published by IBM, an average data breach costs 3.9 million USD for a business in 2020. Critical industries suffer even higher losses, with the healthcare industry leading the pack with an average cost of 7.1 million USD and the energy sector being a close second at 6.39 million USD. Given the widely accepted perception that attacks “are only a matter of time,” the disturbing question we must ask ourselves is whether businesses that do not prepare themselves are ready to pay for such a cost when the day comes.

Despite daunting statistics, we believe that cybersecurity efforts should not thrive on fear, uncertainty, and doubt. Instead, similar to the digitalisation journey itself, businesses should address the problem of cost with three fresh mindsets for a more long-term security posture. 
 

Mindset 1: Investing in Cyber Security early is much cheaper in the long run

Cyber Security is expensive and difficult if we treat it as an afterthought. Without thinking of Cyber Security early enough, teams inevitably develop products with flawed or non-existent security considerations. When security issues are identified at a later stage, we often lack resources to resolve these issues properly, which are often bogged down in technical debt.

These limitations result in a compromise on ad hoc patchwork, which offers limited protection to critical functions, does not address all of the security issues, or is infeasible to roll out to a large-scale IoT deployment.

Businesses can drastically lower the cost of their Cyber Security efforts if they invest early. By adopting a shift-left security attitude, development teams can thoroughly analyse potential threats and incorporate established security solutions in the early stages of requirements engineering. The same mindset also extends to automating security processes to optimise secure software development and operations monitoring.

According to the same data breach report cited above, companies can save up to 3.58 million USD (which is over 90% of the average cost) if they fully automate their security processes. 
 

Mindset 2: Treat security issues with a supportive culture

Security incidents, regardless of severity, are often perceived as humiliation, so developers often face increased scrutiny when their code leads to security vulnerabilities. It is important to recognize that no system can be perfectly secure and that mistakes happen. In the face of a security vulnerability, the community needs to set aside finger pointing and focus on resolving the situation as a team effort.

Additionally, security findings are also often downplayed or underestimated when society in fact demands more corporate transparency and initiative. According to research by Ponemon in 2019, 60% of data breach victims were compromised due to known but unpatched vulnerabilities. No matter the reason, it is evident that businesses should perceive Cyber Security as an ongoing process that extends beyond the original scope of traditional product development. As a best practice, we should support ongoing security monitoring and patching efforts with dedicated resources or budget.
 

Mindset 3: You have your customers’ support

Although we are in the cost-sensitive world of IoT and digitalisation, the two previous mindset transitions require even more upfront investment and effort. But businesses, now more than ever, have their customers’ support when it comes to Cyber Security investment and transparency of handling customer data. Based on Cisco’s study in 2020, almost one-third of surveyed consumers refrained from conducting business with organizations due to data privacy concerns. In critical fields like healthcare and finance, we expect higher standards from business customers and end users to justify Cyber Security investments.

At the end of the day, when making purchasing decisions, customers are looking for peace of mind. Be it in the form of data protection features, security compliances, or Cyber insurances, there is a great market potential for businesses that are willing to prioritize security investments.
 

Things to immediately act on

We identify the following practical steps when kickstarting your next IoT project in good security shape:

  • Perform thorough security analyses with mandated actions as early as possible.
  • Make security easy for developers, e.g., by incorporating automated security testing and verification.
  • Set up logging and monitoring mechanisms of system operations at the beginning.

The key here is not to make improving or monitoring security a painful task for tomorrow and set things up before the first shipped product feature.
 

Let’s get in touch

As industries digitalise to bring further customer value, we continue to witness more cyberattacks, which now disrupt more critical functions of society. The cost of damages and the increasing market demand continue to tip the scale towards the need for serious Cyber Security readiness. With the right mindset shifts, industries will position themselves in a much better way for a sustainable and accountable business.

What are your experiences in securing your digital businesses and assets? At Zühlke, we have expansive expertise and experience in addressing Cyber Security needs for many industries. Contact us and we will help make Cyber Security a selling point for your next big thing.

Derek Yu

Derek Yu

Principal Consultant

Derek (Der-Yeuan) Yu is a Principal Consultant at Zühlke in Zürich, Switzerland. He holds a doctor's degree in Computer Science from ETH Zurich and has research experience in many cybersecurity topics, such as system security and network security. He also has industry experience in developing secure IoT solutions. Derek's day-to-day work and interests include reviewing security designs, developing security development best practices, industry IoT, and DevSecOps.