Europe’s security vision undermined by lack of compulsory requirements

For the most part, companies have to be forced to take security seriously, but perhaps these changes are on the horizon in Europe at least.

Cybersecurity is always a topic of conversation which is never too far away, though you have to question the substance behind the statements. Security and privacy are always top priorities for a company if you listen to the CEO, though the fact that security breaches still persist undermines these bold claims.

To be fair to the companies involved, this is a fast-paced and ever evolving aspect of the technology landscape. Is there such thing as 100% secure? No. Can the companies do more to protect their customers? Yes.

This is where the European Commission plays a critical role in developments. Speaking at Broadband World Forum in Amsterdam, Julie Ruff. Directorate for Digital Society, Trust & Cybersecurity, outlined the challenges, as well as the ways and means to combat these threats, and the telcos will be central to these efforts.

“First of all, they are obvious targets for cyber-attacks [the networks], very attractive targets,” said Ruff.

“The networks can be used as vectors for attack.”

The network is the lynchpin for tomorrow’s economy, the backbone of the virtual world. It’s the digital superhighway which connects anything, everything and everyone. The networks owners need to lead from the front, but they are not the only character in this nefarious saga.

As part of the latest iteration of the Cyber Act, the European Commission has introduced a certification framework for ICT digital products, services and processes. This framework will provide a comprehensive set of rules, technical requirements, standards and procedures to ensure consumers and businesses are protected from the dangers lurking in the dark corners of the world wide web.

This is all well and good, but here is the major problem; the certification process is currently voluntary.

At the largest companies, resources can be redirected towards such initiatives to ensure the demands and nuances of the framework are being adequately met. However, this is not going to be the biggest problem the digital economy will face. The start-ups and SMEs, those who can easily find other means to spend valuable and limited funds, will not voluntarily direct investment towards cost-centres and away from profit-builders.

However, with more risks being realised further afield in the ecosystem, a comprehensive approach to security is needed everywhere and anywhere. As Ruff pointed out during her presentation, the interconnected nature of the digital economy means that cybercriminals can infiltrate networks through weak points in the chain.

This is where the European Commission needs to move forward to ensure the certification framework is compulsory not voluntary. It might come as a financial burden to the start-ups, but it is the only way to most effectively mitigate risk. The investments being made by multi-nationals and telcos could be completely undermined by a rogue device connected to the network.

For the digital economy to be anywhere near ‘safe’, connected devices, whatever they may be, need to be secure out of the box and providers need to ensure timely and regular security updates. Unfortunately, this perfect scenario can only be achieved through effective regulation and a compulsory certification framework.

A good vision has been outlined by the European Commission, but this needs to be backed-up by effective and compulsory regulation.