Secure your seat for our upcoming NIS2 and segmentation webinar here

Securing tomorrow: What’s next in cybersecurity? Part II

Securing tomorrow: What’s next in cybersecurity? Part II cover

Moving from compliance to proactive security with the Secure by Design approach

How do you build your products, processes, and systems? In a world where digital threats are evolving faster than ever, it is difficult to find an organization that does not understand the importance of addressing security. And if there are still organizations that have not caught up to the changing threat landscape yet, implementations of new European Union cybersecurity legislations such as NIS2 and the Cyber Resilience Act will force them to do so.

However, it is becoming increasingly apparent that compliance should not be the main driver, or even the end goal. In this article, we discuss the importance of Secure by Design, and explain why this approach is becoming increasingly critical for business survival.

Building security from the ground up

Secure by Design is a fundamental approach to cybersecurity that emphasizes building security measures into systems and processes from the very beginning, rather than adding them as an afterthought.

Both the EU’s Network and Information Security (NIS2) Directive and the Cyber Resilience Act (CRA) have incorporated elements of the Secure by Design approach. These regulations require companies to implement security measures during the design phase of products and services, maintain them throughout their lifecycle, and take responsibility for their supply chain security. This includes considerations about where data is stored, processed, and transported, with appropriate security measures implemented at each stage. But why was this needed?

The evolving threat landscape demands a new approach

The commercialization of cyber threats has fundamentally changed the security equation for businesses. Ransomware attacks have evolved from simply encrypting data to stealing and threatening to sell sensitive information. Additionally, state actors from countries like Russia and China have entered the playing field, often timing their attacks to coincide with significant political events.

“The threat isn’t just about active attacks like ransomware anymore,” says Sander Dorigo, Senior Security Architect at Fox Crypto. “We’re seeing state actors who might wait for opportune moments, such as right before important negotiations or summits, to launch their attacks.”

Shifting responsibility from human error to system design

At the same time, we can see a significant paradigm shift in how organizations approach security incidents. Rather than blaming human error, such as employees clicking on phishing links, companies are increasingly recognizing the need to design systems that prevent such mistakes from having catastrophic consequences.

“It’s crucial for organizations to create an environment where people cannot make these kinds of mistakes,” Sander emphasizes. “If a phishing email gets through and one out of thousand employees clicks on it, you need to have systems in place to block that link and remove similar emails from everyone’s inbox immediately.”

Moving towards 100% security?

A Secure by Design approach should not be seen as a one-time implementation. The market and threats continue to evolve, requiring constant adaptation and improvement. Companies often fall into the trap of thinking they can implement one concept and be completely secure forever.

“It’s an illusion to think you can achieve absolute security,” Sander adds. “The goal isn’t to be 100% secure: that would be too static. Instead, focus on ensuring you have control over your most important data and can respond effectively when incidents occur.”

By successfully implementing Secure by Design principles, organizations can move toward a more proactive cybersecurity strategy, shifting from constantly reacting to threats to anticipating and preventing them. This evolution, however, requires sustained commitment and understanding that security is an ongoing journey rather than a destination.