A recent study from Hewlett-Packard found that 70 percent of Internet of Things (IoT) devices contain serious vulnerabilities. Recent events prove that these vulnerabilities are being exploited on a daily basis. The good news? We can fix the problem.
With every technological advancement the IT industry has made to protect devices, it has gained knowledge and insights into how to best combat attackers and elevate security. However, it’s clear that these vulnerabilities continue to exist, despite our best efforts to combat them. In fact, we have addressed many of the same problems before. Innovation often outpaces security because information security is not just a technical problem; it’s a business problem.
When a major breach occurs, the press lights up with articles and stories about personal information security. Most of this advice is excellent, you really should be using strong passwords. But we get the same advice, over and over, since the early days of the internet. Why?
In its report, HP states the most common security issues reported from the scan of 10 of the most popular IoT devices included privacy concerns, insufficient authorization, lack of transport encryption, insecure web interface and inadequate software protection. While concerning, HP also offers some advice on how to improve the security of these IoT devices, and what to look out for before investing in the technology.
What HP does not address is that the reason these problems continue to exist despite repeated dire warnings is that it is often difficult to create a business case around information security. In addition to the technical advice about personal information security and good development practices, there are some basic rules to follow when dealing with the business side of security.
The breach starts in the boardroom
In the past a data breach could be kept quiet and dealt with internally, but that is no longer the case. If you are a company of even moderate size or importance any loss of customer data will be widely reported in short order. Your stockholders and your board are going to want an explanation from senior management, and it is a good bet your CEO already knows this. Explain your security plan in plain English and provide detailed information. A plan to set up VLANs with an IPS system and a security review of third party hardware are all good ideas. Explaining that this might help prevent a loss of credit card data from a bad POS system, similar to the recent Home Depot incident, is better.
Not all IoT devices are created equal
If you are planning to use, develop or integrate with an IoT product, please do your homework and follow these tips:
Insist on a strong identity. The first step to securing information is having a strong identity. It doesn’t matter if it’s through passwords, biometrics, tokens or any other method. Use multi-factor authentication, make sure your identities are stored securely and never transmit credentials in clear text. Now that it is 2014, it’s inexcusable for developers to create or consumers to accept weak authentication in any product. Many IoT devices offer users the opportunity to create strong identities when used properly. For example, the Nymi wristband uses your heartbeat, which is as unique as a fingerprint, to wirelessly take control of computers, smartphones, cars and more.
Don’t trust the protocol. The truth is, many communications protocols were not designed with security in mind. With that said, take it into account and anticipate that other devices connected to yours are not always properly secured. By expecting the worst, or at least by expecting a lack of security, device users should be able to proactively protect themselves from unsecure protocols.
Security does not equal privacy. This may seem obvious, but when these two terms are associated with the Internet of Things, the definitions can get murky. Security, in its very basic form, means safety, protection and defense. Privacy, on the other hand, means secrecy. While the terms can go hand-in-hand, they are not one in the same. For connected devices, collecting personal data is the point of the product. For example, Nest and FitBit wouldn’t be the same if they didn’t collect your personal data and learn from your habits. This collecting of information can be seen as an intrusion into privacy, but should not jeopardize any security.
Data security is a product
Big Data is big business at the moment, use that to your advantage. Protect that data just like any other trade secret. Protection of that information is likely to be a key selling point to the next generation of consumers.
We will continue to go through the viscous cycle of data gathering and data loss as long as security remains locked in the IT space. Until security gets the same attention and resources as Sales or R&D, we will always be one step behind the bad guys.