Secure by Default: Why Cybersecurity Must Start with Default Settings

Cyberattacks cost companies millions every year, often due to common mistakes such as weak default settings, unsecured remote access, or outdated configurations. Many manufacturers ship networked systems with insecure settings, leaving the door open to attackers. Secure by Default means systems are protected right out of the box, helping companies improve cybersecurity, reduce risks, and simplify compliance.

In recent years, cyberattacks caused by security flaws and misconfigurations have led to significant damage. Reactive protection is no longer enough. Regulators are stepping in, raising the standards: systems must be secure from the start—before attackers get a chance.

Today, developers are expected to build IT systems securely from the ground up. Security is no longer a bothersome add-on but an essential part of solution development. This approach, known as Security by Design, helps eliminate vulnerabilities during the development phase. 

Section: Security by Default – Manufacturers Deliver Secure Products 

Manufacturers must now deliver systems that are secure in their default settings. This means administrators or users shouldn’t have to take extra steps to secure the system. Specifically:

• All communication channels are encrypted by default.
• Access rights follow the least privilege principle.
• Unnecessary services are disabled by default.
• Insecure features are proactively turned off.

These measures significantly reduce the attack surface. Examples include switches that allow management only through encrypted protocols, IoT devices with automatic security updates enabled, and cloud storage encrypted by default. 

The Challenge – Balancing Security and User-Friendliness 

Why don’t more manufacturers ship products with secure default settings? Often, it’s because they worry about alienating customers. A product that blocks many functions or limits access by default can frustrate users and increase support calls.

This leads to lower sales as customers become annoyed by restrictions. As a result, many manufacturers opt for looser default configurations and rely on users to secure their products later—a risky choice for IT security.

Moreover, this approach conflicts with legal requirements. The General Data Protection Regulation (GDPR) mandates "data protection by design and by default," emphasizing privacy-friendly settings from the start. 

NIS-2 – Ensuring Adequate Network Protection 

Starting December 2025, the  NIS-2 Directive is in effect across Germany. Companies in key sectors such as energy, healthcare, and water must register with authorities and begin implementing required security measures.

These measures include risk assessments, securing supply chains, staff security training, encryption, and multi-factor authentication (MFA). Companies are also required to adequately protect their networks by segmenting them, controlling access, securing remote connections, blocking unnecessary ports, and only using recognized secure protocols. 

Section: CRA – Reporting and Addressing Vulnerabilities 

The Cyber Resilience Act (CRA) takes it further by setting a baseline cybersecurity standard for all connected products sold in the EU. It applies to virtually all digital products on the market, except open-source solutions without commercial focus.

Manufacturers must perform risk assessments and fix security risks before products hit the market. Products must come securely configured—no weak default passwords are allowed, and automatic security updates must be enabled.

Additionally, manufacturers must disclose vulnerabilities and report them to a central platform managed by the European cybersecurity agency ENISA. They are also responsible for providing security updates throughout the product’s support life, typically five years or more.

Section: Remote Access – Protecting Connections with VPN and MFA 

Remote access illustrates how security can be improved without increasing risk. Key points include:

• Virtual Private Networks encrypt connections using protocols such as IPSec or TLS. Sensitive apps benefit from additional end-to-end encryption. Unencrypted protocols such as Telnet or FTP are forbidden.
• Multi-factor authentication (MFA) is one of the most effective ways to secure logins, often combined with time-based one-time passwords (TOTP). Passwords, if used, must meet strict criteria such as length, complexity, and uniqueness.
• Users should access only the systems and data they need (least privilege) and only via secure network zones (segmentation).
• Logs of all remote connections should be centralized and reviewed, recording login times, failed attempts, and permission changes. Alerts should trigger on suspicious activity, like unusual login times or locations.
• Endpoint devices also require strict control. Companies should allow only managed devices and, if permitting “Bring Your Own Device” (BYOD), ensure verified endpoint security including current patches, malware protection, and personal firewalls.
• Endpoint devices also require strict control. Companies should allow only managed devices and, if permitting “Bring Your Own Device” (BYOD), ensure verified endpoint security including current patches, malware protection, and personal firewalls.
• Secure by Default and secure remote access are essential for modern security strategies. These measures work best when integrated into a comprehensive security framework, where advanced VPN solutions help implement these standards efficiently. 

Discover compliant VPN solutions today.