Finding harmony between the functionality, size, and security of IoT devices has proven to be a major hurdle. It will require a joint effort between consumers, industry, and state and federal governments, to solve the problem.
Securing the Internet of Things (IoT) has been slow going, and it’s putting user privacy and personal security at risk. The subject of IoT security has gained a lot of visibility over the last few years. We’re wondering whether the industry is doing more than consumers to enhance security. Moreover, consumers don’t seem all that interested in understanding how to protect themselves. What more can be done? In this article, we’ll attempt to pull together all the highlights of our research into these points. We’ll be talking about:
- Problems in recent years
- Why we think security isn’t currently the highest priority for IoT makers but should be
- Whether secure IoT is even possible to obtain
- Lastly, some suggestions as to what businesses and consumers can do today
IoT Providers Should Learn from History
In the 1930’s, United States physicians began installing makeshift safety belts in their own cars as a result of vehicle-related deaths and injuries that physicians witnessed all too often. Over the following decades, there was a great deal of innovation in automotive safety. It wasn’t until 1968 when the first federal automotive safety law took effect. It required all motor vehicles (except buses) to be manufactured and equipped with seatbelts. For many people, the basic understanding that a seatbelt could save their life was enough to justify wearing one.
Despite the statistics, many people continued to ride in cars without securing their safety belts. Recognizing that a simple measure was being ignored by many passengers, it took several more years for US states to pass laws that actually require passengers to wear seatbelts or risk fines. Why did it take both the industry and consumers so long to adopt this simple security feature? Years from now, will this same question be posed about the current state of IoT security?
Like 1930s Physicians, We’re Aware of the Problem
Ultimately, the concern for device security isn’t merely about the user/device that is infected but also the assets that are part of the larger network on which these devices depend. So, it’s no secret that IT security experts and professionals are concerned with the security of connected devices.
As early as 2014, Target Corporation was dealing with the fallout from a hacker that had gained access to their network remotely (via the HVAC system: a connected device). This breach alone compromised thousands of cardholder records. Security of IoT devices garnered additional attention in late 2016 when the Mirai botnet was discovered to have infected what experts estimated to be hundreds of thousands of connected devices. The malicious code was used to launch distributed denial of service (DDoS) attacks on various targets causing widespread disruption. Another unsettling fact reported by Symantec in their 2017 Internet Security Threat Report, is that the average time to hack a connected device was only two minutes. For a career cyber criminal, this isn’t much of a barrier to overcome. Ultimately, the concern for device security isn’t merely about the user/device that is infected but also the assets that are part of the larger network on which these devices depend. So, it’s no secret that IT security experts and professionals are concerned with the security of connected devices.
Experts estimate that a staggering number of devices will be connected through IoT systems within the next five years. According to Gartner Inc., the number of connected devices reached approximately 8.4 billion in 2017. They predict that the market will grow nearly threefold to 20.4 billion by 2020. Perhaps the only fact more surprising than the number of connected devices is the number of unsecured connected devices.
Consumer and industry demands are driving the need for enhanced functionality and user experience. In keeping with the “instant gratification” appetite of today’s marketplace, consumers won’t wait. Simply put: gone are the days of making appliances or products that only deliver on their functional purpose. So at the same time that pressures mount on executives to drive change and innovation within their business to provide these products, IT professionals and security experts are faced with an equally alarming concern: how can companies keep up with the demand for smart devices while also being smart about security? In order to answer that question, it might help to outline some of the factors adding unwanted complexity to IoT security IoT:
- Non-tech companies being forced to compete in the technology space
- Shortage of IT and security professionals
- Variety of devices presents standardization challenges
In a time when a toaster that only toasts bread feels mildly archaic, it seems every company needs to be a tech company.
Given the previously mentioned dynamics, if a company is to remain relevant in today’s tech-driven economy, they must consider their role within the connected device world—even if they’re a traditional appliance manufacturer or non-tech company.
Given the previously mentioned dynamics, if a company is to remain relevant in today’s tech-driven economy, they must consider their role within the connected device world—even if they’re a traditional appliance manufacturer or non-tech company. Additionally, as if the pressure to bring the ‘smart’ aspect to their products wasn’t enough, tech companies are also finding ways to break into traditional product markets, only adding to the urgency non-tech companies feel to compete in the IoT arms race. This means that original equipment manufacturers (“OEMs”) or non-tech companies are handed the tall task of rapidly bringing innovations to market that not only meet the original intended use of the equipment but also satisfy the tech-savvy user.
About the authors:
Kelly Arnholt is an Audit & Compliance Manager for Oracle Cloud SaaS Services leading a team who hosts third party SOC, HIPAA, and PCI audits and has worked for Oracle for eight years. Her career includes 12 years in a regulatory role, leading third party, customer, internal, facility, and vendor audits. She is an active volunteer with the Executive Women’s Forum.
Kristen Wilbur is a manager with Schellman & Company LLC, with over 8 years of experience in providing IT attestation and compliance services. Kristen has evaluated risk and controls for Global 1000, Fortune 500, and regional companies during the course of her career with a strong focus in the technology sector.