The Internet of Things market resembles the wild west with its rapid, chaotic growth and lack of effective oversight or security.
Gartner estimates there will be 26 billion IoT devices connecting to the Internet by 2020 – an almost 30-fold increase from 0.9 billion in 2009. IoT device manufacturers and enterprise security providers face an enormous challenge trying to scale up the process of identifying and authenticating those devices.
The confidential user data IoT devices collect and share fall under the same strict laws and regulations governing data security that all IT systems do, be they laptops, on-premises databases and cloud computing platforms. Adopting a "Secure by Design" approach to device manufacturing, and prioritizing users' privacy are key components in fostering transparency, responsibility and accountability in this Age of IoT.
The IoT trend is transforming virtually every aspect of our lives for the better but connecting the ever-growing number of devices creates additional risks to enterprises and consumers. James Clapper, the U.S. Director of National Intelligence, warned of the risks of the IoT to data privacy, data integrity, or continuity of service in a report presented to the Senate Armed Services Committee that stated, "devices, designed and fielded with minimal security requirements and testing, and an ever-increasing complexity of networks could lead to widespread vulnerabilities in civilian infrastructures and US government systems."
Consumers are right to be concerned about guarding their privacy. When an organization like a hospital connects a new MRI machine to its network, it creates a new cyberattack vector that hackers can use to access or steal data, and even gain control of the hardware itself.
The Identity Theft Resources Center (ITRC) recorded 1,293 breaches last year - 21% higher than 2016 (the previous record-holder). It seemed like a massive data breach made headlines every week last year. So, it's understandable that expectations are high among government regulators and consumers that IoT device manufacturers, and the enterprises that deploy those devices, become better at securing confidential information. But that does not translate to a requirement that companies thwart 100 percent of all cyberattacks.
Consider the EU's General Data Protection Regulation (GDPR), which takes effect May 25. It establishes very strict requirements for protecting customer data, and a tight 72-hour timeframe for reporting a data breach. But if a company can demonstrate it has taken adequate steps to protect information, and promptly notifies affected customers about a breach, it won't be fined for falling victim to the attack.
What regulators and consumers do want to see from manufacturers and organizations that implement connected devices are the highest levels of transparency, responsibility and accountability.
We saw the negative effects of a lack of transparency with the recent discovery of the Spectre and Meltdown vulnerabilities. U.S. lawmakers demanded that representatives from several technology companies explain why they waited months after discovering the vulnerabilities to make the details public. In other words, explain their lack of transparency.
These companies have explained that they were taking time to assess the risk. They were concerned that premature disclosure would have given attackers time to exploit the vulnerabilities. That may be a valid argument, but the damage to their reputations was done.
Effective IoT device security does not mean creating a perfect product that never has any vulnerabilities; it means allowing for a process that addresses quickly and completely all vulnerabilities. An organization must know that when a device is registered and attached to its network that it's legitimate and not fraudulent.
