The following article covers cybersecurity regulations, security technologies, and security courses offered by Doulos to help you develop and implement an effective security strategy for your organization.
Connected devices are all around us, ranging from wearables to connected cars, from smart fridges to smart TVs, we are all surrounded by these intelligent devices making our lives easier. With the advent of high-speed networks and an ecosystem of supporting services and applications, connected devices have flourished and have impacted almost every area of our lives. Now with growing AI capabilities, these devices are evolving further. It is not surprising that by 2030, it is predicted that the number of connected devices will reach close to 30 Billion (statista.com May 2024).
The proliferation of connected devices has also raised concerns about security breaches compromising product features. These concerns have made regulators look into tightening security regulations for connected devices.
There have been several cybersecurity breaches where security vulnerabilities in connected IoT products have been exploited. The CVE (Common Vulnerabilities and Exposures) website contains thousands of cybersecurity vulnerabilities recorded globally since 1999. Everyday IoT devices such as connected doorbells, pet feeders, thermostats, baby monitors, and many more have been the target of security attacks. The security vulnerabilities have allowed attackers to gain unauthorized control of networks and devices, resulting in cyber crimes such as spying and tampering with critical product functionalities. This poses not only regulatory and financial implications for companies manufacturing these products, but also a reputational risk in a competitive market space.
Globally, regulators are introducing or expanding legislation to introduce security requirements for IoT products for the product manufacturers.
In the UK, the Product Security and Telecommunications Infrastructure Act 2022 (PSTI) has come into effect from April 29, 2024. The act aims to enhance the security procedures for consumer IoT products and puts the responsibility on product manufacturers to consider cybersecurity as part of their product design. The scope of the law covers consumer IoT devices such as connected appliances, smartphones, connected cameras and smart home assistants, but excludes some connected devices which are already covered by other regulations, such as medical devices and smart meters.
Some of the key requirements included in this act are:
The European Parliament has also recently passed the Cybersecurity Resilience Act (CRA) on March 12, 2024. The Act covers all connected digital products that process data remotely. Like the UK PSTI act, some categories of products such as medical devices, defense and military products and motor vehicles are not in the scope of CRA, as they are regulated through industry-specific legislation. The aim of the CRA is to establish common cybersecurity standards for digital products and connected services sold in the EU market.
CRA will impact manufacturers of digital products operating in the EU. Products are categorized into default, Class I and Class II categories. Class I and II have stricter security requirements and Class II mandates a 3rd party assessment for compliance.
CRA requires manufacturers to consider the security of the products throughout the entire lifecycle starting from design, production and through to support. The product should consider security factors during the product design phase, such as data encryption and access management, solutions to tackle security risk factors and minimizing the impact of any security attack. The manufacturers should ensure there are no known vulnerabilities in the product. Manufacturers need to provide security updates for 10 years or for the remainder of the support period and maintain a record of any vulnerabilities during the product lifecycle. Any security breach needs to be informed to ENISA (European Union Agency for Cybersecurity) within 24 hours.
The CRA is expected to come into force by mid-2024 and manufacturers will have 36 months to implement the new requirements, except for reporting requirements which apply from 21 months. Fines for non-compliance can be up to €15 million or 2.5% of global annual revenue, whichever is higher.
In the US, the Securities and Exchange Commission (SEC) introduced new cybersecurity rules effective from December 15, 2023. The rules require publicly listed companies in the US to report cyber security incidents, and disclose the impact on the company, within four business days after a company determines that it has experienced a material cyber-incident.
With these and other global regulations impacting cybersecurity requirements and compliance standards, it is not surprising that organizations are prioritizing investment in cybersecurity. The Logicalis Global CIO Report 2024 indicated 83% of CIOs reported that their business had experienced a cyber-attack within the past year, but only 43% of CIOs reported feeling their business was fully equipped to tackle cybersecurity attacks. Gartner’s 2024 Technology Adoption Roadmap for Security and Risk Management report highlights multiple security technologies, in different stages of adoption, that organizations are looking to deploy to strengthen the security of their products.
The deployment of these technologies demands a skilled workforce that can implement the security-by-design approach when developing products to minimize security risks. When working against tough project deadlines mandated by different cybersecurity regulations, a trained team can make all the difference between the success and failure of the project. For such high-impact projects, it is important to have an experienced training partner who can deliver your specific training requirements and make your team project-ready.
This is where Doulos steps in with its security training solutions.
With over 30 years of experience in training engineers in a variety of technical areas, Doulos training is unique as it is delivered by subject matter experts and includes extensive hands-on labs covering all aspects of the design and development process.
Doulos security courses include:
Doulos can help you get your team trained to enable them to comply with cybersecurity regulations.
Take an important step in protecting your organization from cybersecurity threats by enquiring now about our Security courses. Check out the course links above, contact your local Doulos team or complete an enquiry form.