The Internet of Things (IoT) industry must establish a common set of security standards of which to adhere, according to Oscar Arean, technical operations manager at disaster recovery provider Databarracks. Arean also argues that IoT risks should feature in organisations’ continuity plans if they want to be protected.
Research carried out by Gartner has forecasted that 6.4 billion connected devices will be in use worldwide in 2016. Further research from Gartner predicts worldwide spending on IoT security will reach $348m in 2016 with this figure climbing to $547m in 2018. While these projections are encouraging for the future of the IoT security market, it is important that current concerns around the security of devices are not ignored.
Recent industry findings from a study across 6,000 UK consumers revealed that two thirds of those surveyed expressed concerns about the security of their devices. Arean wants to see industry standards introduced to ensure a minimum level of basic security is being met for IoT devices, reducing the risk to consumers:
“IoT has the potential to revolutionise the way we live and work. However, it introduces a fundamental new security risk. There are currently no controls in place to protect consumers from sloppy programming and unsecure devices being connected. Gone are the days of intruders staking out a house to see when someone is in. Now criminals have the ability to hack your heating controls and check your timer schedule to see when you are at work, or see whether you’ve set a holiday programme for your lights. They can even disable the CCTV if it’s online and programme the kettle to make a cup of tea for their arrival!
“Currently, there are no single security standards that manufacturers work to, and so we are potentially putting ourselves at huge risk. At the moment a product is only as secure as the efforts the manufacturer puts in. It’s such a new space that we haven’t yet reached widely adopted development best practice. Consumers are driving huge levels of demand, which manufacturers want to meet quickly; who knows what corners might be cut in order to ensure they get their devices out to market quicker than competitors. The rush to meet demand with new and innovative capabilities risks a limited focus on security.”
Arean goes on to explain that there are steps that can be taken in order to improve the IoT security landscape: “The Cloud Security Alliance (CSA) released some advice to early adopters of cloud services that I think is really valuable. They have called for a Secure Systems Engineering approach to architecting and deploying systems to be implemented. By defining what IoT best practice is, and aligning that with a standardised approach to architecture and deployment of new products, it would raise the standard of security within the industry. Further to this, the CSA recommends that a layered approach to security should be taken when it comes to IoT assets because of the physical security risks they pose.
“There are steps organisations can take to protect themselves too. Just like you have disaster recovery plans in place for a fire or for a ransomware attack, you should factor IoT risks into your plans. Define the risks and put necessary controls in place to minimise them, as well as a plan for how to deal with disruption should you experience a breach.
“Later in the year a new cyber security strategy is set to be published outlining the government’s plans to improve cyber security for the public, private and consumer sectors – it is imperative that this platform is used to reference IoT security with clear guidelines and standards outlined. Until then, organisations and end users should be wise to the risks of IoT and take the appropriate steps to protect themselves,” Arean concluded.