There’s an old analogy often used by commentators when discussing cyber security-related matters. Brakes were invented not to slow down cars but to enable them to travel faster more safely, the story goes. In a similar way, information security should be designed into systems from the start not to impede but to enable them to be used to their full potential. Nowhere is this more appropriate than when we talk about the Internet of Things (IoT).
Gartner said earlier this month that by 2017, more than 20% of enterprises will have “digital security services” tasked with protecting the IoT. I’d argue that this is far too little too late.
We’ve Only Just Begun
The IoT is a massive potential market – that’s obvious even now. Cisco says there are already 13 billion “people, processes, data and things connected to the internet”, with that figure reaching potentially 50 billion by 2020. IDC, meanwhile, believes the IoT market will reach over $7 trillion in six years’ time, up from $1.9tr in 2013. This new world of interconnected “third platform” devices all speaking to each other is increasingly driven not by consumers but corporates, the analyst said.
From smart meters to smart buildings, healthcare systems, and even insurance platforms which can automatically set premiums based on data collected from an applicant’s car; the possibilities are endless.
The Problem with IoT
The IoT represents a wonderful opportunity for companies to operate internally in a more efficient, agile way than ever before and offer customers countless ways of making their lives easier, safer and just better all round. But there are risks.
Data from internal smart sensors could be stolen and used by rivals to emulate efficient processes; or to blackmail CNI firms running mission critical industrial control systems. Employee-owned smart devices, just like BYOD, will also introduce extra risk that must be managed. Then there’s that customer IoT data which will need protecting if businesses want to avoid a potential privacy backlash. The European Data Protection Supervisor (EDPS) has already raised serious concerns around the privacy implications of such data being collected and stored.
Defence Starts Now
This might sound like overkill. After all, as the stats show, we’re only at the beginning of what is likely to be a long and winding journey towards an IoT future. But we need to design those brakes in now so that the technology can reach its potential. We need to be thinking about how the bad guys could subvert current and future systems so we’re in a better position to react when the worst case scenario happens. That’s something Trend Micro tried to do with the ground-breaking 2020: The Series online video project.
It’s also great to see that web security community OWASP has already got involved. Its Top Ten Internet of Things project is a promising start in helping vendors understand where security issues may lie and how to prevent them. But we all need to be more proactive. After all, would you ever buy a car without brakes?