The approach to cybersecurity has for a long time been more reactive than proactive – a costly and ineffective way to defend your business.
To match the ever-expanding threat landscape, businesses should be more proactive in their approach to cybersecurity. Cybersecurity should be considered from the start in all design and system development processes, and our survey indicates that the majority of the surveyed consumer businesses have realised this.
What does the survey show?
According to our survey, 67% of the respondents considered cybersecurity as one of the first things in the development process when developing their last digital solution. Almost 30% took cybersecurity into account during the development process or before implementing the digital solution, while 3% did so as part of or upon implementation. In 3% of the surveyed consumer businesses, cybersecurity was not being considered at all.
Cyber-attacks have become a question of when - not if - they happen, and this underlines the importance of having cybersecurity-by-design measures embedded as a standard element of every product, system and technology development process. By having cybersecurity incorporated as an integral part of the digital system or solution from the start, businesses increase their resilience and enhance their business continuity.
It is a positive change that close to 7 out of 10 of the respondents indicate that they considered cybersecurity prior to development the last time they developed a digital solution. This supports the general trend we have seen during the past 10 years, with cybersecurity having gone from not being considered at all to now being recognised as an instrumental part of product and system development processes. In recent years, this trend has been driven by EU’s GDPR rules, further compliance requirements and a privacy-by-design focus, especially in terms of consumer businesses.
That said, it is difficult to decipher whether the results mean that proper cybersecurity efforts have actually been implemented, or if it was merely a single security review with no considerable effects. Data from our qualitative interviews supports the above-mentioned trend that cybersecurity has become an incremental part of the product and system development processes. The question, however, is whether these processes are embedded throughout the organisation, i.e. would product and project owners have the same understanding, or is it a result of our respondents’ (cyber security responsibles) perspective?
As we help Danish consumer businesses increase their cyber resiliency, we still see a significant number of products, services and systems that lack basic cybersecurity measures, with cybersecurity not having been considered in the initial development process. Not only does this increase the organisation’s vulnerability; in many cases, it also makes the solution more expensive, especially if the security efforts need to be integrated once the solution has been implemented.
The broader picture
Secure Development Life Cycle
It took several years for companies to recognise that security should be considered as part of the systems development life cycles (SDLC). Now it is time for companies to evolve their ways of thinking and embed security in every phase of the SDLC. This does not necessarily mean that additional security measures will be required in every case; it rather means that when security is being considered, tangible steps are taken to integrate security solutions into the product, technology or supply chain in question. It is positive to see that we are now considering security as part of SDLC; this should now result in actual secure-by-design solutions.