With an estimated 20 billion Internet-connected devices set to appear in our homes and offices by the end of the decade, future cyberattacks will dwarf what we’ve seen to date. These connected devices will feed into fundamental infrastructure we rely on every day: transportation, power plants, medical devices, and supply chains, for example. As cyberattacks move from financial and reputation risks into the realm of ‘life and death’ consequences, which IoT stakeholders should we turn to to address this?
The most significant IoT ‘stakeholders’ fall into three wide categories: IoT device makers and developers, end-user companies, and governments. These stakeholders will need to craft an effective response to this new breed of IoT-based threat and ask themselves: how might we mitigate the risk of the first life-threatening hack?
Security by design
Too often, developers and manufacturers ignore security protocols when designing IoT devices. In the saturated IoT market, manufacturers face consumer demand to deliver products to market incredibly quickly, coupled with the pressure to keep costs low to stay ahead of the competition. This must change as the number of connected devices continues to rise.
With the boundaries between networking, storage, and computing blurring, security can no longer be an afterthought. Unfortunately, we are seeing an influx of low-end consumer IoT devices with little to no security. Customers with no awareness of security issues will simply buy and install these devices without regard for the risks – bringing them into their homes and places of business and connecting them to local WiFi networks. Manufacturers therefore have a responsibility to implement stalwart security before IoT devices come into ubiquitous general use.
Software developers and hardware manufacturers must adopt ‘security by design’. Security should be viewed as fundamental to the desired user experience – a core feature, not a last-minute add-on. Manufacturers who make a point of establishing their cybersecurity capabilities in the design stage will better protect their customers from both virtual and physical harm – and this will be a powerful competitive differentiator.
The private sector
IoT use in the enterprise will take off in 2018 and beyond. The private sector will therefore be hugely influential in the evolution of these products. Business leaders at executive and board level will need to ensure that security best practice is implemented throughout the organisation. Across the board, strategies should be devised to make security a fundamental priority for the business. Similarly, IT should closely consider the security credentials on any new IoT devices being implemented within the organisation.
For example, it is now common for large organisations to employ a CISO to ensure there is C-level accountability for orchestrating cybersecurity efforts. Cyber incident response planning and team training is also becoming a board-level priority. Frequent communication between management and security personnel is essential for informed decision making amongst this group of stakeholders.
Ensuring public safety
As cyber threats become more serious and raise public safety concerns, each and every government body has a responsibility to work towards a safe and secure IoT environment for its citizens.
Policymakers will need to work with the private industry to create a framework for reliable IoT security that actively protects end users and their privacy without hindering innovation. For example, in the UK the government already holds a position of responsibility when it comes to the regulation of connected and autonomous vehicles. In fact, the Law Commission recently revealed an ambitious programme to develop legislation to promote the safe use of internet connected cars – and this is set to be ready as early as 2021.
Members of the government with a background in technology and security would be a welcome sight in helping to craft effective legislation around IoT security. In the United States, the Gramm-Leach-Bliley Act of 1999 – which required the financial industry to explain information-sharing practices to consumers and outline how they protect their customer data – is an example of best practice. Collaboration between various elements of the public sector will be necessary to tackle this from an IoT perspective.
In Europe, the General Data Protection Regulation (GDPR) will soon take effect, requiring businesses to implement ‘security-by-design’ practices – including during the development of IoT devices.
Voluntary IoT security guidelines have already been issued by the Food and Drug Administration, National Institute of Standards and Technology and the Department of Homeland Security in the US. Whilst these are positive steps towards securing the future of IoT, more oversight and enforcement from governments is sorely needed as the IoT industry matures.
New responsibilities for stakeholders
Every stakeholder within the digital ecosystem – from manufacturers and regulators to enterprises and end users – must play their part (and do a significantly better job) to ensure security is part of the ongoing digital revolution. The stakes will be as high as they can be. Each and every stakeholder should feel obligated to contribute what is required to create a safe and secure environment in the future.