Robust cybersecurity has never been more important as cyberattacks continue to increase. In fact, data breeches increased by 72% in 2023, setting a new all-time high, as bad actors took advantage of vulnerabilities exposed by remote working. Driven by the potential for financial gain or widespread disruption, cybercriminals can be highly motivated adversaries.
Fortunately, businesses aren’t left to fend entirely for themselves without guidance. Governments are keen to reduce the risks to businesses and customer data by implementing regulations which help standardize defenses against attacks. Failure to comply can result in significant fines for the business in the event of a data breach.
This puts product manufacturers in a bit of a tight spot, as they must understand the regulations that customers will be subjected to and ensure that their products are compliant. This requires continued monitoring and vigilance, as regulations can change, arise, or different regulations adopted by different regions. Global manufacturers need to stay ahead of the regulatory curve to avoid future issues with the upgrades required to maintain compliance.
Governance vs Compliance
From a customer perspective, adherence to regulations only represents the starting point for protecting critical data; organizations must focus on both governance and compliance. These terms can sometimes be confused, because they are closely linked. Governance refers to the internal policies that organizations put in place themselves. These tend to be over and above government regulations and tailored to their individual risk profile and the industry threat landscape.
On the other hand, compliance represents the measures put in place to ensure adherence to these internal policies and regulation. It is critical that these measures balance security with the user experience, without introducing unnecessary friction to processes. These measures can be audited by a third party and should stand up to scrutiny.
Both governance and compliance are continuously assessed as new threats emerge and vulnerabilities are discovered. As such, manufacturers are tasked with not only having products and services that meet regulatory compliance, but also to meet the governance requirements of all customers as well.
Thinking globally about regulation
Unfortunately, regulations are not standardized across geographies. Global manufacturers of video surveillance technology are challenged by the differences in regulations between regions.
For example, the European Commission have introduced the Network and Information Security Directive (NIS2), an expansion on the previous NIS Directive. This directive aims to strengthen the requirements of critical infrastructure and essential service providers to implement sufficient security and incident measures. Failure to comply can have both significant financial and legal implications.
Contrast this with the US, with Executive Order 14028 on Improving the Nations Cybersecurity issued in 2021. This tasks federal agencies, but also those private businesses that provide products and services, to comply with the enhanced regulations.
Other countries and regions around the globe have their own specific approaches, creating a complex regulatory landscape. This is especially true if a business is based in one country, such as the US, and operates globally. They must adhere to the local standards of the countries they do business with, or risk being non-compliant.
Successfully navigating the different data protection and cybersecurity regulations between geographies starts with a deep knowledge and understanding of these regulations, coupled with the best practices to protect sensitive data against cyberattacks. This will determine what type of cybersecurity protection should be incorporated into products to support the customers’ own compliance measures.
Maintaining strong product lifecycle management
Even with a vast knowledge of regulations, manufacturers cannot lose sight of the ever-changing threat landscape. Firmware on products must be updated periodically and in line with new vulnerabilities. Problems can be encountered where legacy products are still in use, and which sometimes can no longer be updated.
For this reason, cybersecurity must be considered as part of the product lifecycle management. If products are beyond a certain age, they may no longer be cyber secure. This is complicated by changing regulations, which may also mean that the device is no longer compliant. Rectifying this may require the manufacturer to review software and firmware which is older than five years, which can be very difficult.
Beyond the manufacturer’s four walls, another area which needs attention is the supply chain. As cybersecurity is a high priority, organizations within the manufacturer’s supply chain must be able to demonstrate how they approach cybersecurity and data protection. This includes how they comply with regulation and why they are ‘safe’ to do business with. Armed with this knowledge, manufacturers can be assured that they are not inadvertently introducing risk into their products.
With customers taking greater measures to ensure the products they buy are more compliant in areas such as component sourcing, product manufacturing, organization sustainability, and cybersecurity, it is more important than ever for organizations to be transparent.
Being open about vulnerabilities, providing a list of components required in product software in the form of a Software Bill of Materials (SBOM), and software updates, to name a few, builds trust, which in today’s global landscape is an important commodity.
Keeping customer’s best interests in mind
When it comes to cybersecurity, it is critical for organizations to understand the threats they face and their own risks and vulnerabilities, in addition to the regulations their customers need to comply with.
As manufacturers of devices used by customers in their security operations, a global-minded approach to cybersecurity measures will pay dividends. It keeps the customer’s needs at the forefront by ensuring that products adhere to the strictest regulations from different markets. In addition, if existing regulations are adopted in new markets, products are already compliant which negates the need to update firmware. In this way manufacturers act with the customer’s best interest in mind and supports them in their goals to keep their data safe and secure.