Taking a borderless approach to cybersecurity governance

Wayne Dorris

Robust cybersecurity has never been more important as cyberattacks continue to increase. In fact, against UK businesses alone, malicious attacks increased by nearly 20% in 2020 as bad actors took advantage of vulnerabilities introduced by remote working. Driven by the potential for financial gain or widespread disruption, cybercriminals can be highly motivated adversaries.

Fortunately, businesses aren’t left to fend entirely for themselves without guidance. Governments are keen to reduce the risks to businesses and customer data by implementing regulation which help standardise defences against attacks. Failure to comply can result in significant fines for the business in the event of a data breach.

This puts product manufacturers in a bit of a tight spot, as they must understand the regulations that customers will be subjected to and ensure that their products are compliant. This requires continued monitoring and vigilance, as regulations can change, arise or be adopted from one region to another. Global manufacturers need to stay be ahead of the regulatory curve to avoid future issues with the upgrades required to maintain compliance.

Governance vs Compliance

From a customer perspective, adherence to regulation only represents the starting point for protecting critical data; organizations must focus on both governance and compliance. These terms can sometimes be confused, because they are closely linked. Governance refers to the internal policies that organizations put in place themselves. These tend to be over and above government regulations and tailored to their individual risk profile and the industry threat landscape.

On the other hand, compliance represents the measures put in place to ensure adherence to these internal policies and regulation. It is critical that these measures balance security with the user experience, without introducing unnecessary friction to processes. These measures can be audited by a third party and should stand up to scrutiny.

Both governance and compliance are continuously assessed as new threats emerge and vulnerabilities are discovered. As such, manufacturers are tasked with not only having products and services that meet regulatory compliance, but also to meet the governance requirements of all customers as well.

Thinking globally about regulation

Unfortunately, regulations are not standardized across geographies. Global manufacturers of video surveillance technology are challenged by the differences in regulations between regions. For example, GDPR in Europe dictates how personal data is managed and stored. Data collected about citizens from European Union countries is subject to this regulation wherever it is gathered. Failure to comply can have a significant financial impact. In fact, since the advent of GDPR in 2018, $332.4 million in fines have already been levied against organisations which breached the regulations. Contrast this with the US, where there is no universal standard and each state has its own regulation which companies must adhere to. Other countries and regions around the globe have their own specific approaches, creating a complex regulatory landscape. This is especially true if a business is based in one country, such as the US, and operates globally. They must adhere to the local standards of the countries they do business with, or risk being non-compliant.

Successfully navigating the different data protection and cybersecurity regulations between geographies starts with a deep knowledge and understanding of these regulations, coupled with the best practices to protect sensitive data against cyberattacks. This will determine what type of cybersecurity protection should be incorporated into products to support the customers’ own compliance measures.

Manufacturers must stay one step ahead

Even with a vast knowledge of regulations, manufacturers cannot lose sight of the ever-changing threat landscape. Firmware on products must be updated periodically and in line with new vulnerabilities. Problems can be encountered where legacy products are still in use, and which sometimes can no longer be updated.

For this reason, cybersecurity must be considered as part of the product lifecycle management. If products are beyond a certain age, they may no longer be cyber secure. This is complicated by changing regulations, which may also mean that the device is no longer compliant. Rectifying this may require the manufacturer to review software and firmware which is older than five years, which can be very difficult.

Beyond the manufacturer’s four walls, another area which needs attention is the supply chain. As cybersecurity is a high priority, organizations within the manufacturer’s supply chain must be able to demonstrate how they approach cybersecurity and data protection. This includes how they comply with regulation and why they are ‘safe’ to do business with. Armed with this knowledge, manufacturers can be assured that they are not inadvertently introducing risk into their products.

Keeping customer’s best interests in mind

When it comes to cybersecurity, it is critical for organizations to understand the threats they face and their own risks and vulnerabilities, in addition to the regulations their customers need to comply with.

As manufacturers of devices used by customers in their security operations, a global-minded approach to cybersecurity measures will pay dividends. It keeps the customer’s needs at the forefront by ensuring that products adhere to the strictest regulations from different markets. In addition, if existing regulations are adopted in new markets, products are already compliant which negates the need to update firmware. In this way manufacturers acts with the customer’s best interest in mind and supports them in their goals to keep their data safe and secure.

Click here to find out more about how Axis builds cybersecurity into its products.

Built-in cybersecurity features