In his article IoT Security is an Afterthought, Dr. Christos Dimitriadis of BetaNews explored the idea that IoT security has been lacking. He reports that an estimated 30 billion devices will connect to the internet by 2020. A list that once included only mobile phones and laptops has expanded to include cars, homes, and appliances.
A Gap in Testing
In 2015, the ISACA surveyed IT and cybersecurity professionals about the IoT. A surprising two-thirds of respondents agreed that something was missing from security measures implemented at the manufacturer level. For Dr. Dimitriadis, the problem is rooted in the process; “security testing often sits further down the development chain, meaning security vulnerabilities can be overlooked or ignored.” In many cases, manufacturers are operating within strict timelines and budgets that prevent them from testing or correcting possible security or privacy concerns. As a result, they are working after the fact. They are developing security too late, often reacting to problems rather than working to prevent them.
So why then aren’t manufacturers doing a better job of taking steps to prioritize security in their development? Because, when it comes to device security, consumers are even further behind the curve than the manufacturers. As security concerns with the IoT further increase, consumers are only adding to the problem. Their implicit trust in the manufacturer’s knowledge of device security, paired with their automatic acceptance of software patches and operating system updates, has granted the manufacturers an easy out. In reality, “consumers should be more wary of their security and privacy when dealing with connected devices,” writes Dr. Dimitriadis. As long as the consumers, including MSPs, continue to purchase devices and software not thoroughly vetted for security vulnerabilities, manufacturers will continue to skirt around or even ignore security exposures.
Who is responsible for mandating better IoT security? For Dr. Dimitriadis, the answer is everyone.
Manufacturers need better security plans in place. Consumers need to increase their skepticism. Managed services and other IT services providers (ITSP), must reevaluate basic practices for data and device security (e.g. passwords and software updates).
Steps for Managed Services Providers
ITSPs should take a proactive approach to identifying customers’ limitations, and encourage customers to take advantage of Security as a Service (SECaaS) options available. They can also work to better educate their customers. Creating a “secure devices best practices” list will allow for a clear explanation about the importance of secure passwords, locking personal and professional devices when away, and running software updates.
Device connectivity has developed so quickly that manufacturers, IT pros, and consumers have all fallen behind. Now is the time to start catching up, by creating useful protocols around data protection and consumer security education.