The Internet of Things (IoT) is rapidly expanding to include a previously undreamed of amount of connected devices – cars, toys, medical devices, home appliances – and all these smart things connecting to the Web have to be secured. Unfortunately, security seems to be bottom on the list of priorities for IoT manufacturers and developers.
So says Simon Campbell-Young, CEO of Intact Software Distribution, adding that there’s the widest possible array of applications for the IoT, for end users and businesses alike, and with this expansion, protecting an organisations sensitive information becomes increasingly crucial. “Gartner estimates some 25 billion devices will be connected by 2020. Alongside this, the potential attack surface is growing exponentially too. How does a company manage security when there are multiple points of vulnerability, and the number is getting bigger every day?”
He says this is a major challenge for businesses of all types and across all industries, and there is no silver bullet solution.
“If anything, the slew of breaches that have littered the news over the past few years has shown that current security measures are simply not enough. We know we are not resilient, particularly in light of the IoT, which is why securing IoT devices has to begin from the ground up, at the very beginning of the development process, and not added on as an afterthought. This is simply not optional any longer.”
Information security is crucial to the growth of the IoT, and if it is not moved to the top of the priority list, the business opportunity will be undermined, Campbell-Young adds. “OEMs need to have security specialists on board from the beginning. Product managers and security guys need to work side by side to plan the product’s development, and ensure security is a fundamental consideration.”
In addition, he says risk management plays a vital role. Executives and managers must pinpoint where their business might be vulnerable by examining a variety of attack scenarios, and should also consider bringing penetration testers in to evaluate their measure. “Following this, the impacts, both financial and reputational, need to be carefully evaluated. Each business must decide how much appetite for risk they have, and plan security around that.”
Finally, Campbell-Young says organisations need to educate consumers on best practice such as regularly changing passwords, which is amazingly still one of the main causes of a security breach, and offering advice on security patches for their IoT devices.
In terms of privacy, IoT vendors must have privacy policies in place that clearly define how any data is collected from IoT devices. “These must be readily available to consumers, and must leave no room for ambiguity. All of us are more aware and concerned about how our personal data is being used and stored, and IoT vendors who are transparent about this process will instil confidence, which in turn will help their businesses.”
The IoT is set to be huge for individuals and businesses alike, but security must be core to every element of the process. “You wouldn’t buy a car that had no locks, or a bottle without a lid. Why should buying an IoT device be any different?” Campbell-Young concludes.