Circumstances have never been more opportune for cyber criminals. Certifying for cyber security can help your business stay safe – and trusted.
With the Internet increasingly serving as the core infrastructure for the global economy, the need for unified cyber security strategies are pressing. Value chains are highly integrated, not least with respect to data. This leaves companies and organisations vulnerable to attacks.
The 2019 hacking of Norsk Hydro AS and the recent hacking of Garmin are cases in point – though merely two drops in the ocean of global cyber crime. Determining the exact financial impact of cyber attacks is almost impossible – reputation damage and other intangible costs are hard to pinpoint. Then again: Who needs decimals when counting numbers this large? According to Accenture (2019), the average cost of a cybercrime attack is US$13 million.
“It could have been worse for Garmin. And it’s only a matter of time before ransomware’s big game hunters strike again.”
Despite the dramatic costs involved, few areas have been as unregulated as cyber security. This is changing.
The EU Cyber Security Act Has Been Introduced
In Europe, the EU Cyber Security Act has been introduced, establishing an “EU-wide cybersecurity certification framework for digital products, services and processes”. For the time being, it does not mandate certification of IoT devices, but that too is on the horizon: The European standard “Cyber Security for Consumer Internet of Things” (ETSI/EN 303 645) was published in June 2020, and some national schemes – like in the UK and Finland – are already referring to this standard.
Businesses and organisations can and should consider certifying for the standard, even before it becomes mandatory. In general, certifications can do wonders for the marketability of a product and its parent company.
Why Certify for Cyber Security?
Companies need to certify for cyber security for the exact same reasons they need certification for other areas, such as electrical safety. Certifications make it possible to:
- simplify trade by having a common set of requirements.
- demonstrate security to customers.
- give both consumers and businesses a common understanding of a defined level of cyber security.
- ensure compliance to national / international regulations.
How Will Certifications Make The Products Safer?
Almost all breaches of security are due to shortcomings in a product or service, of which the perpetrator takes advantage. Evaluators from the certification body will be able to find shortcomings in the product design that leave the product vulnerable, such as a hardwired backdoor, ports that are unnecessarily left open, radio transmissions that give information to a possible outside listener or a lack of secure solutions for closing future vulnerabilities.
The evaluation will also cover e.g. the necessity of personal information collected, which also is a part of a number of regulations, including the European General Data Protection Regulation (GDPR).
What Are The Benefits for The Manufacturer?
In addition to ensuring the security of their product, the manufacturer now has a third-party professional evaluation documenting that their products and internal processes comply to a defined standard and security level. This same documentation can be used towards all potential customers, avoiding or reducing the need for various sets of documentation for multiple buyers.
Demonstrating compliance to established international standards has been an important tool between manufacturers and buyers for decades, in areas such as product safety. It also serves as an insurance for buyers, who may not have the necessary expertise in the cyber technology.
Taking Arms against Cyber Crime
Unfortunately, security experts only expect the current trend to worsen. Thus, on account of the hefty costs involved for victims, it seems reasonable to assume that stakeholders will keep a keen eye on the security practices of the companies and organisations they deal with.
"As these criminal organizations grow, they're growing like a regular business would. They're building out different teams who can conduct these intrusion operations at a greater scale, or with greater efficiency, or without being detected. That's going to continue to grow as well."
Certification marks won’t guarantee 100 percent watertight systems or products, but they will instantly inform potential buyers or partners that “we work hard to safeguard your data”.
We’ll all have to accept that using the Internet comes with a degree of risk, just like using any other kind of infrastructure does. If you partner with the right organisations, however, you’ll be able to minimise that risk. That in turn, will reflect kindly on your appeal to customers and partners.
Geir Hørthe is responsible for the Nemko cyber security initiative. He has worked at Nemko for more than 30 years, in the capacity of test services, lab manager of safety, ATEX and medical departments. He has also been Managing Director at the Nemko office in London for two years. After he returned to Norway, he held...