5 quick wins to achieve rapid improvements in a product's cybersecurity

Getting your product's cybersecurity in order can be very complicated. But there are some things that are relatively easy to organize and help you to quickly improve your product's cybersecurity.

• 1
  

  Do not use default passwords

  It’s important to have measures in place to ensure that passwords are unique per device in any state other than factory defaults. This is to mitigate the risks of automated attacks based on obvious regularities, commonly used strings, publicly available information or inappropriate complexity when used as pre-installed and unique passwords per device.

• 2

  Work on a good vulnerability disclosure policy

  Here, at least consider how the vulnerability disclosure policy is published. And also how a user can access this publication.

• 3

  Disable debug ports

  Engineers need debug ports, however, it is one of the easiest way for a hacker to get control of one system and learn to automize the attack for other systems. Many debug ports allow hackers to gather information about the firmware running on the device or learn about secrets like personal data or cryptographic keys. While disabling is always best, it might not always be possible, in which case mitigating factors like obfuscation might help improve your security.

• 4

  Establish cybersecurity requirements in the design phase

  The earlier you know your requirements, the easier they are to implement. Therefore, having a list of requirements which includes the standards your product will be tested against for conformity is a valuable tool for your engineers to work with.

• 5

  Avoid blind-spots and ask an independent party to verify

  Testing is usually best left to independent parties where possible to ensure your products are fully secure. Depending on the market your product is in, independent testing by cybersecurity companies like Kiwa may be required or a good selling point. Furthermore, for some legislations which lack harmonized standards or depending on risk level, independent testing by an accredited testing body may be a mandated requirement.