What does the EU’s Cyber Resilience Act mean for businesses?

Given today’s socio-political landscape, questions of cybersecurity continue to gain traction. Ransomware, phishing, and DDoS attacks have all claimed a large share of the conversations around business security, and while these are crucial considerations, some others have often been overlooked in comparison or considered too hard to tackle. IoT, or smart devices, is one of the most notable examples of this. Smart devices have quickly become ubiquitous, and for consumers and businesses alike they are a non-negotiable part of everyday life.

With the number of smart devices in use expected to hit 13.1 billion by the end of 2022, it’s clear that smart devices are here to stay. But they introduce a number of new targets for cyber attackers to hit. Businesses and consumers alike are increasingly aware of this, with research by Which? finding that smart devices are targeted by cyber criminals at least 12,000 times per week. As such, the news that the EU Commission is proposing a new Cyber Resilience Act has come at the right time to help manage this growing threat. But what will the implementation of this mean for businesses?

What is the Cyber Resilience Act?

In September, the European Commission proposed a new law, the Cyber Resilience Act, which is designed to prevent attacks upon IoT devices by implementing new rules for manufacturers. Of note, it aims to put pressure on manufacturers to heighten their security from the design stage, and provide proof of this. The EU’s digital chief, Margrethe Vestager, explains that the Act ‘will put the responsibility where it belongs, with those that place the products on the market’.

The proposed Act will require manufacturers to monitor cybersecurity risks, and the vulnerabilities associated with their products, and respond to these to ensure security is maintained either for five years, or to match the predicted lifetime of the product. If they fail to do this, they will receive a considerable fine: either €15 million or up to 2.5% of their global annual turnover. It seems that the EU is taking a similar approach to GDPR.

This is a really encouraging step forward in alleviating the pressure on security departments who use third party products which they cannot secure within their own ecosystem. It’s well-known that businesses are facing a wider range of cyber threats than ever before and while an increasing number of nation-state and corporate ransomware attacks typically make the headlines, for most businesses it’s issues of unsecured IoT devices in their working environments that cause problems and risks on a daily basis.

The IoT risk today

Given how commonplace smart devices are, it’s easy to forget that they are a relatively new technology. These days it’s not uncommon for houses to be almost fully kitted out with smart devices - from the doorbell, to the light switches, to the fridge. Understandably, people are excited by a new technology that revolutionises their day-to-day lives, but this means they often forget that with any new technology there’s a risk of as-yet unknown vulnerabilities. We

should also recognise that these devices can be used to mount attacks utilising IoT botnets where attackers can install botnets on IoT devices without the user’s awareness.

A number of security researchers have discovered vulnerabilities and have asked manufacturers to resolve these. However, manufacturers seem to be reluctant to address these. The proposed Cyber Resilience Act could ensure that manufacturers cover vulnerabilities in all of their devices, meaning that the threat of compromise will reduce significantly, and is handled from the outset.

Along with this, there are unique challenges associated with the implementation and use of enterprise IoT devices but we shouldn’t forget the connectivity of Operational Technology (OT). Enterprises are connecting OT equipment which traditionally might not have been connected to the internet, and in doing so they are making them IoT devices. These devices tend not to have considered security from the outset and the new Cyber Resilience Act will definitely put more of an onus on manufacturers to consider this for new OT devices.

This broadens the range of risks considerably, as we are faced with the internet connectivity of highly complex devices and operations. The use of internet-connected equipment that uses a standard username and password, with no multifactor authentication, and which has never been patched, can lead to severe business disruption as it is so easily compromised.

Bolstering security culture should remain top of mind

The Cyber Resilience Act is a positive step forward for more than one reason. In the first instance, it emphasises the role of the manufacturer in maintaining security standards rather than leaving this to the consumer or enterprise alone.

More than this though, it has ignited conversations around security culture. Discussion of the benefits of increased IoT security also naturally brings up questions of what organisations could improve on too. With so many IoT compromises associated with devices that may not be company-issued, or maybe older OT technology that is becoming IoT, it’s clear that educating employees is key regardless of the standard manufacturers are held to.

Regardless of how strong regulations are, businesses will always benefit from fostering a security-aware culture. The Act mandates the availability of security credentials in product descriptions, which is an invaluable resource in helping drive broad security awareness, but organisations shouldn’t stop there.

Finally, we hope that this new Act will have some teeth to ensure that the manufacturers will come to the table to have proactive conversations with enterprises to address these risks that we have been facing for some time. One would also hope that manufacturers understand how security controls within their products are an important part of product development, and that security must be baked in from the outset and not considered as an afterthought.