by Larry Bellehumeur | Oct 02, 2019
In previous blog posts, I have focused on the need for device manufacturers and software providers to "step up" when it comes to security; both manufacturers and software providers need to ensure that security products are installed by default. While this plays an integral part in securing the world of IoT, there is often additional work to be done by customers to ensure that their data is secure.Thanks to our friends at Deloitte, here are the first five most significant security risks that IoT poses. I've also added some additional thoughts and tips on what you can to do to protect yourself. The remaining five will come in a future blog post.
Not having a security or privacy plan
In too many cases, companies deploy IoT products and services with little or no thought to security or privacy. Even when companies think about it, many mostly rely on the inherent protection from the hardware or device.
One way to ensure a high level of security for your solution is to use a highly secure, turn-key offering from a solution provider. For many who do not require any unique customization or devices, this may be enough to take all of the security worries away.
If you choose not to use a turn-key offering, you need to look at having a plan that covers everything. For example, what level of passwords you may require, how you plan on handling new employees or what are your plans are in the event of a breach.
Lack of ownership to drive security and privacy
While it is great to have a plan, like we mentioned in the first point, the procedure becomes useless if someone fails to take ownership of it. The best place to start in most companies is the IT team, but it is not like they are just sitting around waiting for things to do in most cases. This also becomes an issue if you do not have a formal IT team or if the team is located far from the critical assets, which is often the case in IT.
Luckily, IoT solutions often have extensive ability to update remote devices over the air. This also includes enforcing password changes and firmware updates. However, like any other kind of security, IoT solutions need to have security procedures practiced by everyone in the organization for them to be successful.
Security not being incorporated into the design of products and ecosystems
Now, this is not a new topic when it comes to my blogs. I have long stated that there needs to be a minimum security level for IoT devices, and those security settings/options need to be enabled by default by the manufacturer.
While a lack of security is enabled may be an issue for the average consumer; it has the potential to be a disaster for most organizations. However, it goes beyond that. Manufacturers need to incorporate things like a unique username/password for each device and need to ensure that there is a high level of encryption for all data transferred to and from the device.
Finally, most IT teams have extensive security plans for their tablets and laptops and likely their smartphones. They need to have the same level of security planning, enforcement and checks for their IoT systems; otherwise, they are just too open to hacking.
Insufficient security awareness and training for engineers and architects
IT-based security has been around for decades, and billions of dollars are spent annually by companies trying to keep things safe… but even then, issues still arise. Hackers always seem to find a new hole to key systems.
IoT systems are relatively new, at least to most parts of the organization, and, likely, many current professionals were not taught how to protect them in school. To make it worse, IoT is still evolving, making it challenging to keep up to all of the latest threats. Companies need to be aware of this, and even *gasp* slow down deployments until their teams have the knowledge to secure them properly.
Lack of IoT/IIoT product security and privacy resources
In response to the previous point, you may answer, "why doesn't the company just hire some outside security consultants to get things set up correctly?" That would be a good point, except, there is a lack of IoT and IIoT security and privacy resources available to meet the demand.
IoT has grown with such incredible force, that there is often a lack of resources for companies in all areas of the industry. Product and software companies find it difficult to staff their teams, especially on the security side. Service providers usually overwork their limited security resources, to prevent roll-out delays. This shortage extends to organizations that struggle to find people for their internal programs.
The obvious answer to solve this is to graduate more people from university with these skills. Long-term, this will likely be the solution, but it does not help in the short term. IoT security experts require specialized skills that can often only be found during the time "on the job." It will take a decade or so for us to catch up to the demand, if not longer.