A group of U.S. senators recently introduced a new bill (the ‘‘Internet of Things (IoT) Cybersecurity Improvement Act of 2017’’) to address security vulnerabilities in connected devices. The bill would ensure that the products supplied by vendors to the U.S. government are patchable and conform to industry security standards. Introduced by senators Cory Gardner, Steve Daines, Mark Warner and Ron Wyden, the legislation would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities. While this is a positive step toward improving baseline security for all devices bought and used by the government, it magnifies a much larger issue that is prevalent today in industries that are increasing their product’s connectivity to the Internet.
The Global Connected Device Market Security Problem
Today’s connected device market is global. More and more consumers and businesses are embracing connectivity to take advantage of the innovative features that these smart devices provide. Gartner is predicting that 20.4 billion connected things will be in use by 2020. To address consumer demand for connected devices, businesses are increasingly implementing connectivity features into products. From washing machines to refrigerators to other smart home devices, businesses recognize the importance of connectivity and new services that they will be able to offer to their customers.
However, this connectivity opens up many vulnerabilities that hackers will exploit to execute various attacks, including ransomware, malware injections, Man-at-the-End attacks and others. Unfortunately, these vulnerabilities are fairly easy for hackers to exploit. This is especially the case given that the previous model for IoT devices was very often build, ship and forget. Security was, and in many ways still is, an afterthought. This approach to security is no longer acceptable as a security strategy for a connected device is crucial for all manufacturers, including protection, updates and upgrades.
Consumers Want Security Built into IoT Devices
Across several industries, we are seeing mounting pressure from consumers demanding that security be built into any connected device. Irdeto’s recent Global Consumer IoT Security Survey found that 90% of the nearly 8,000 consumers polled from six different countries, including Brazil, China, Germany, India, UK and US, believe it is important that a connected device has security built into the product. In addition, the responsibility of security is primarily on manufacturers. Our survey also found that 77% of respondents felt that the manufacturers have a level of responsibility for keeping the connected device secure to prevent hacking.
Addressing IoT Security Challenges
Legislation in one market, while a positive step, will not solve the global security problem. It will take a combination of legislation on a much wider scale and manufacturers enhancing security strategies to protect against larger-scale attacks targeting IoT technologies. This starts with understanding how hackers operate and implementing a sound cybersecurity strategy that is more about making the organization and its products more secure than the environment around the organization. Hackers will almost always target the least secure element first, as this requires the least investment of both time and money to generate a potential return. As a result, the goal for organizations selling connected devices should be to make themselves, and their product, an unattractive or unviable target for the attackers.
To do this, organizations must adopt an ever-evolving defense-in-depth approach to cybersecurity to continually raise the security bar against the latest attack vectors. This approach needs to involve many layers of security being implemented throughout their product ecosystem, rather than just a simple perimeter defense or hardware-only security approach. Mitigating attacks against connected devices is crucial to the protection of their consumers, their brand reputation and, ultimately, their revenue.