Security by Design

Often perceived as low-hanging fruit by cybercriminals, small and medium-sized businesses are frequently targeted due to typically limited IT resources and security measures. The recent incident involving the attack on the Pennsylvania water system is a stark reminder of the vulnerabilities in our interconnected world. It underscores the urgent need for businesses to adopt a proactive approach to cybersecurity, embracing the concept of Security by Design. This approach is not just a technical imperative but a critical business strategy that ensures the integrity and resilience of operations in the face of growing cyber threats.

Responding to the attack, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert urging manufacturers to follow Security by Design principles and eliminate default passwords. Security by Design is a set of high-level principles for software manufacturers to consider to help shift the balance of cybersecurity and create more secure products out of the box. The recent alert highlighted the principles, “Take ownership of customer security outcomes.” and “Build organizational structure and leadership to achieve these goals.”

The overarching message of the alert was to urge manufacturers to eliminate default passwords in devices when they ship. Hackers can easily search for open IP addresses of devices and try the default password until they find one that opens. Often, the environments where these devices are used do not have the budget for internal IT services and can be connected to critical infrastructure. The combination of inexperience and budget is opening some of these utilities up to attack.

As a small business owner, it’s important to understand the quality of the devices you are adding to your business network out of the box. The federal government announced the U.S. Cyber Trust Mark program in July, and it’s on track to be released by the end of 2024. The program would assign EnergyStar-like ratings to internet-connected devices to help consumers and business owners understand the security of new devices.