If you follow the news, you’ll have noticed that there has been a significant uptick in the number of cybersecurity-related articles and stories lately, writes Herman Kannenberg, Head of Legal Affairs and Cyber Security, Huawei South Africa. This is because cyber-attacks are on the rise as cybercriminals tend to escalate their activity in times of crisis, uncertainty or transition – when people have their guard down.
The Covid-19 pandemic has not only introduced uncertainty into our lives, but has also accelerated the adoption of new technologies, creating a favrouable environment for cybercriminals.
Historically, many of these incidents have been as a result of poor product security. Several of the major security incidents of the past few decades fall within this category. The Greek wiretapping incident in 2006, the Stuxnet worm in 2010, Heartbleed in 2014, WannaCry in 2017, and the Meltdown and Spectre vulnerabilities of processors in 2018 were all examples of cybercriminals attacking specific product vulnerabilities.
As enterprises and economies pursue transformation to overcome the challenges brought on by the pandemic, they’re turning to 5G as catalyst in transforming how their enterprises operate. This also impacts the products and services they offer and acts as an essential component in multiplying the benefits and capabilities of other innovative technologies such as Artificial Intelligence and cloud computing. 5G, alongside digitization, not only facilitates the deployment of autonomous driving, smart cities and factories, but also serves as the foundation for human-to-human, machine-to-machine, and human-to-machine interactions.
According to the Common Vulnerabilities and Exposures (CVE) statistics, since 2017, the number of security vulnerabilities has exceeded 14 000 each year and is increasing year on year. As systems become more complex, new software frameworks and technologies continue to emerge and be developed and companies use more open-source and third-party components, an increasing number of more complex factors affect product security, posing increased risks. As a result, the industry is ascribing greater importance to product security.
While digitalisation will serve to promote economic development and recovery while fundamentally changing the way we live, it also blurs the boundaries of traditional networks resulting in more network risks and threats, leading to the consequences of vulnerabilities and attacks becoming more serious.
A major cause of cybersecurity incidents can be laid at the feet of poor product security. Unfortunately, it’s often the case that the products we are connected to are not built with security in mind and can become easy targets for criminals to get into more secure networks. It has therefore become critical to enhance product security in all aspects of a product’s lifecycle – from design and development to maintenance.
What can we do to decrease cybersecurity risks?
Improving product security is vital to mitigating cybersecurity risks and reducing these incidents that occur so frequently across the globe. There are two key ways that an enterprise can ensure that product security is both robust and proactive. Firstly, it is important that security management is not only embedded into the product development process and that cybersecurity is made a core capability of products, but also a fundamental approach to resolving cybersecurity issues.
Secondly, developing and implementing a baseline of common product security prerequisites will ensure that all products meet the same basic requirements in terms of security quality.
It is important to note that this baseline needs to be continuously updated and improved upon to keep pace with the ever-changing cybersecurity landscape – from regulatory to technical capabilities. For example, Huawei’s end-to-end cybersecurity framework integrates its result-based, universal and continuously improved upon Product Security Baseline into the product development process as a fundamental security requirement which effectively improves the security quality of all Huawei products.
The Baseline was developed based on common and critical security requirements identified through the study of the applicable laws and regulations as well as a deep understanding of, among other, customers’ business requirements, industry best practices and known issues. The Baseline consists of 54 requirements under 15 categories and 112 entries for implementation, guidance and interpretation. Alongside various quality assurance activities, the Baseline is strictly implemented to ensure product security quality and to prevent security incidents.
Creating a culture of security around product development
Traditional “border” defense that relies solely on security products such as firewalls, security software and intrusion detection systems are no longer effective in today’s complex security environment. Nor is it sufficient to reactively fix vulnerabilities as this does not help to effectively address the current cybersecurity challenges that poor product security introduces. Cybercriminals are becoming more sophisticated by the day and are increasingly taking advantage of any vulnerability they can find.
In today’s environment, it is crucial that we implement security by design and that security should be built into products rather than simply being an add-on. To ensure security, in addition to identifying risks and fixing vulnerabilities, it is important to systematically consider and plan security in the early design phase and implement security by design throughout the entire product development and lifecycle.
Simply put, product security is the work needed to build security into the products we create to ensure that they are being developed and manufactured with security in mind. Product security’s most important job, however, is to maintain the trust and respect of customers by ensuring the security and safety of their data and information. Security must be built into products as a fundamental capability in order to resolve security issues in a fast and cost-effective manner.