Before I start the blog, I want to take a moment to thank Evelyn de Souza for co-authoring this piece with me. Evelyn and I share a passion for security and privacy and have decided to focus our next set of articles on Data Security and Privacy in an IoT connected world. Evelyn was the Data Privacy and Security Strategy Leader at Cisco, and prior to that spent time at other security companies such as McAfee, BigFix, and Cloudmark. Today, she is the Data Security and Privacy Strategist / Advisor to the Cloud Security Alliance and Radius Innovation & Development, partner, working with us during the design phase, to help customers Design for Security and Privacy of their IoT devices and digital eco-systems, they wish to take to market. So thank you, Evelyn, for your partnership!
On Friday last week an estimated 100,000 household Internet of Things (IoT) devices such as webcams, digital video recorders, and thermostats turned into malicious bots causing outages across 80 major websites. For most consumers, it was their first taste of how easily connected devices could turn on them and unleash havoc on the Internet. With Gartner estimating 6.4 billion devices in use and a massive jump to 20.8 billion in about 4 years. the real consideration is what this portends for the future of IoT and security.
Senator Mark Warner has called for “improved tools to better protect American consumers, manufacturers, retailers, internet sites and service providers.” IoT devices are very attractive targets for hackers as most lack even rudimentary security; they are easy to discover by their model numbers when connected to the Internet. Many devices ship with default usernames and passwords that can be compromised in seconds and without convenient options for consumers to change these defaults. This all-to-often foregoing of security is a result of multiple factors, such as a lack of awareness, security expertise and consumer demand for it, and the desire for simplicity as well as a slick, plug-and-play product.
The ultimate objective is to foster a market offering secure devices as well as consumer awareness and understanding. Security needs to be presented as a power tool to consumers versus as an inconvenience; as a means for consumers to have greater control over their product and their data. In order for this to be possible security needs to be contemplated in the early design stages of IoT and part of a multi-stakeholder approach:
- Conducting vulnerability and risk assessments would help developers and manufacturers know what to protect
- Requiring consumers to change passwords before a device is used could be easily implemented along with more secure authentication options
- Designing firmware that can be automatically and securely updated may require more processing power but would greatly mitigate threat vectors
- Implementing strong encryption could effectively secure sensitive consumer data and further deter hackers
Unlike established hardware and software companies, many startups entering the market have not had the benefit of decades of security experience; in fact, many of today’s startups are walking into our Radius Design studios without a thought to the privacy of their customers’ data or security of the internet overall. By working with Radius at the very front end design stage of new product introduction, startups are learning the need to design for security and privacy, in creating differentiated and secure products and digital experiences for their customers, and in so doing, helping protect the Internet overall.