Benchmarking the cost of security

3 mins read

David Maidment, Director of Secure Device Ecosystem, Arm explores why it’s not important to benchmark the cost of security, but instead to benchmark the cost of not following good security practice, and why it's better to get ahead of the curve before regulation comes into play.

There are often a few motivations for hackers, but most of the time it comes down to two main factors: financial gain and attention.

As the number of connected devices surge, and momentum continues to grow for the Internet of Things (IoT), there is no denying that connected devices are attractive for hackers. In fact, Symantec, detected almost 19 million attacks on its IoT devices in the first quarter of 2020 – which is a 13% rise when compared with the previous year. In order to not become another statistic, it’s clear that device manufacturers need to turn their attention to securing devices right from their inception.

However, there is a reason that IoT device security is historically skipped and it’s not always due to negligence. Among many other concerns such as navigating worldwide regulations, manufacturers are constantly weighing up the cost of creating devices to ensure they have the best return on investment.

When you are selling tens of thousands, or even millions of devices, even the most minor cost can have a huge impact - every cent really does count. Security is complex, and it takes time, resources and expertise to implement. As a result, device manufacturers often skip security as it is seen as an unnecessary overhead in the race to get devices to market.

The real question is what’s greater - the cost of poor security or the savings from a fast time to market? Unfortunately, the cost of security failure is always greater and often immeasurable. A recent report by Accenture, states that over the next five years, companies in the private sector "risk losing an estimated $5.2 trillion in value creation opportunities from the digital economy thanks to cyber security attacks”.

The costs also extend beyond financial damage – hacks ripple through press and media outlets which often leads to a lack of customer trust, brand erosion, failure to meet worldwide regulation, possible threat of litigation from end customers and ultimately; loss of business, the impact of which is impossible to measure.

Thankfully, it’s not all doom and gloom. We know we need to invest in security, but it shouldn’t be viewed as an irrecoverable cost. In a recent panel discussion with my colleagues [SS1] at world-leading manufacturing companies OSRAM, Signify and Sigma Delta, we covered this very topic and were united in the fact that adding security isn’t actually “just a cost”, but rather a competitive advantage. Fabio Vignoli, Head of Product Security, Digital Solutions Division Signify correctly pointed out that: “Security is a cost, however, it’s also an opportunity for a competitive advantage. Security is less costly when you build it in at the beginning, instead of trying to bolt it on later.”

The good news is that there are things you can do to reduce the financial strain of security. Adopting industry best practices and using design frameworks helps to significantly decrease the financial and time burden vs ground-up development. PSA Certified [SS2] is a security framework and certification program, which is mapped to key regional regulations and outlines 10 key security goals [SS3] that all connected devices need to meet a security baseline. The composite structure of this scheme reduces the complexities of security for device manufacturers by allowing them to build on the hard work of silicon providers, many of which have invested heavily in their solutions.

I’d love to see a future where we’re embracing the costs associated with security and turning them into competitive advantages in the market. By prioritizing security, businesses could have the opportunity to position themselves as more reliable – building trust with current and future customers.

A recent study by the Dawes Centre for Future Crime found an overwhelming willingness amongst consumers to pay more for a secure device. In the case of security cameras participants were prepared to pay an additional 40% for a secure product. Adopting security into your company’s cultural DNA has the power to protect your reputation, but also leave a positive legacy for the IoT.

If you’d like to know more about the cost of insecurity, and how you can balance the costs associated with security, check out our interactive whitepaper here[SS4] .


[SS1]https://hubs.li/H0ByB_J0

[SS2]https://hubs.li/H0Byzxb0

[SS3]https://hubs.li/H0ByzCz0

[SS4]https://hubs.ly/H0ByBCq0