Security by Design: Prevention is better than cure

08 February 2018

How do German companies approach IT security? An in-depth study by TÜViT aimed to find out. And the conclusion is ... prevention is better than cure. So potential security gaps in software, IT architecture or networked devices should be identified and closed early on, during the development process.

Smart houses, intelligent heating systems, networked machines in factories and data in the Cloud: digitization offers users and businesses previously unimagined possibilities. But day after day, the increase in networking offers hackers new loopholes and vulnerabilities to exploit ... and the massive cyber attack on thousands of Telekom routers in 2016 is only one proof of this. It is true that legislators and companies are reacting ever more strongly to this challenge, but ... “Many users and companies still view IT security as a necessary evil”, as Dirk Kretzschmar, Managing Director of TÜViT confirms. This conclusion is also supported by a study carried out on behalf of TÜViT, which contained a survey of more than 100 decisionmakers from different sectors of industry and commerce. In cases of doubt, two thirds of the organisations covered put product performance and rapid development time above IT security.

There is certainly an awareness of the challenges arising from the digital age. One third of the respondents view the increasing rate of digitisation as the most serious risk for their own IT. But there is still often a lack of strategy in order to reduce this risk – and in fact, only around a third of the companies have defined an integrated security strategy. There is also often a need for improvement when it comes to the budget that businesses invest into the security of their IT systems or production processes. More than one half of those surveyed only put six per cent or less of their total budget into security. But to achieve better protection against gaps in security and hacker attacks, the authors of the study recommend that at least ten percent should be invested.

And there is still the suspicion that IT security is a barrier to innovation or slows it down. One possible approach here is Security by Design. The idea behind this concept is that prevention is better than cure. Possible security gaps in software, IT architecture or networked devices should be identified and eliminated during the development process. So when it came to the development of so-called smart meter gateways, the IT security experts at TÜViT were involved from the very beginning. These communication hubs for central heating systems transfer data from electricity meters to energy suppliers – so they can adapt their electricity production to the requirement that exists at any particular time. And the TÜViT experts are involved in the entire process, from creation of the security profile, through the development environment and the completion phase, up to delivery of the devices. While one department creates the security profile, another performs penetration tests to establish if the security measures are proof against cyber attack.

“Security by Design saves time and money that would otherwise have to be invested in closing security gaps after the product has been placed on the market. It means that products and software are more secure, and both manufacturing and maintenance costs are reduced”, emphasises Dirk Kretzschmar. And awareness of this is now well established in some sectors of industry. Security by Design is already known and used by 43 per cent of companies in the financial sector. In the case of energy suppliers, this even rises to 67 per cent, which is also a result of the strict legal requirements that apply in these critical areas.

Of course, Security by Design cannot be a cure for all of the risks associated with digitisation. “Transformation of existing corporate processes and IT architectures is just as important”, says Kretzschmar. Alongside ongoing development of the entire organisation towards more processes supported by technology and digital contact with customers, many tasks must be undertaken in the areas of IT security and data protection. In order for IT security concepts to be effective, the latest technologies and software solutions have to be introduced, in-depth awareness of IT security and data protection has to be promoted in training courses and further organisational framework conditions, such as an Information Security Management System (ISMS) have to be established. And some companies need to drive forward the separation between Office IT and Production IT more vigorously. This applies in particular if the company reorganises in the course of networked production, as the easiest way for hackers to penetrate a network is still through the internet access or email accounts of the workforce. Up to now, only one third of the companies have consistently implemented this separation.

In future, big data processes and artificial intelligence could also help identify weaknesses in the system at an early stage and find specific countermeasures. Of all the companies surveyed, 36 per cent think that they will have fully-automatic IT security architecture in future. However, these processes do not mean that human IT security experts will be surplus to requirements over the long term. As Dirk Kretzschmar points out: “Such tools have their place when it comes to analysis, but human beings are always needed in order to interpret the data and decide on suitable countermeasures”. Networking does not only lead to opportunities for hackers. There is also an increasing requirement for IT security experts, as Kretzschmar adds: “In future we will need even more people who have specific competence in the area of IT security.”