Adopting a ‘Security-by-Design’ Strategy for Small and Medium-Size Organizations

This week’s featured blog post was provided by RHEA.

Canadian small and medium-size enterprises are facing ever-increasing cyberattacks. Yet, many are still struggling to develop a plan to strengthen their cybersecurity posture. Protecting laptops and networks are no longer sufficient measures. A “Security-By-Design” strategy is required. Thankfully, business owners can look at approaches adopted in major critical infrastructure areas and adapt a strategy that fits their organizations’ profiles and level of risks.

Every year, the World Economic Forum issues its Global Risks Report. The threat of cyberattacks has been appearing year after year in the Report’s top ten 10 major risks to watch for. This should not come as a surprise, given that a targeted cyberattack could remove access to power supplies, communication systems and other critical infrastructure on which we all, ultimately, depend in our day-to-day lives.

For smaller businesses, however, business growth is often the major, if not only, imperative focus. As a result, the threat of a cyberattack can seem far removed. Installing a firewall or anti-virus is often seen as taking sufficient security measures. Unfortunately, this is no longer the case. But where does a small-medium organization begin if it wants to strengthen its security posture? The answer may be to look at large critical infrastructure organizations and adapt their models. 

More and more critical infrastructure operators are adopting a “Security-By-Design” approach, recognizing that it makes most sense to design security into products, systemsand services from the outset, instead of trying to retrofit them later. As an example, defence agencies are increasingly adopting this approach when designing new crafts. In a European project to create a tactical remotely piloted aircraft system (RPAS) – a type of drone – RHEA Group was included in the consortium from the beginning with the express aim of ensuring that the aircraft would be cyber-resilient[i]. This was done by employing a methodology called concurrent design, which enables all components of a complex system to be considered together and balanced against each other during the design process, including security requirements.

There is a sound financial case for adopting this “Security-By-Design” approach, even if your organization is much smaller and never going to be classified as critical infrastructure. A National Institute of Standards and Technology study showed that relative to the cost of getting things right at the initial stages of planning requirements and architecture, it costs around 10 times more to fix ‘flaws’ at the integration and component testing stage, 15 times higher during system/acceptance testing and as much as 30 times higher at the production or post-release stage. And this applies as much to incorporating security as fixing or retrofitting anything else. It may feel natural to consider security features later, after you have done all the design work, and possibly even prototyping, but this clearly shows that the best return on investment comes from taking an upfront approach.

A research report by the Ponemon Institute[ii] backs up this proactive approach, stating that “When attacks are prevented from entering and causing any damage, organizations can save resources, costs, damages, time and reputation.” Based on the average cost of a phishing attack, for example, Ponemon calculated that the savings by spending on prevention would be US$682,650. Whether it is your internal systems or another organization considering the security implications of buying your products or services, investing in security from day one is vital.

So, what does this mean in practice for small and medium-sized business owners planning to develop new systems or release new products on the market? It means that security should be an active part, not only of system development lifecycles but also of any products being developed. When developing a new aircraft for instance, “Security-By-Design” involves elements such as carrying out a risk impact review of initial designs AND after any design changes. it involves the clear definition of security controls and requirements. It includes a secured design environment, frequent testing and relevant training. For larger organizations a cyber-range offers an emulation of an organization’s own systems and can be used not only for training staff at all levels, but also for testing realistic cyberattack scenarios that fit a specific business environment.

What applies to aircraft development can also apply to other business areas, including organizations offering services. The main principle is the same, which is to bring security at the forefront of business development (systems, products, or services), and not as an afterthought, or worse, when a cyber-attack occurs. The most important consideration is to bring the right stakeholders together from the start. Investments beyond basic cybersecurity tools will also be important. If a business owner does not have any security expertise, investing in it – either by training staff or bringing in an external expert on a temporary basis – will pay dividends in the long run. Then, just as RHEA’s experts would do, ensure your security-related policies, procedures or processes are rigorous, complete, and fully traceable.

[i] RHEA Group; LOTUS: Next Generation Tactical Remotely Piloted Aircraft Systems

[ii] Ponemon Institute; The Economic Value of Prevention in the Cybersecurity Lifecycle