The increasing popularity of interconnected technologies should be tempered with the need to ensure that such devices are designed with security in mind. The term the ‘Internet of Things’ or IoT is not a new concept, having first become popularized almost two decades ago. As society starts to recognize and embrace the potential benefits, the introduction of new IoT devices is increasing at a break neck pace. In 2016 it was reported that there were 5 billion connected devices and it is predicted that by 2020 there will be between 50-75 trillion, leading to potential economic benefits of $10-$12 trillion by 2025.
This futuristic, inter-connected world has considerable lifestyle benefits for both consumers and businesses alike. Imagine for example what a simple trip to the grocery store might look like in an IoT world.
A trip to the cyber store
As you put on your IoT connected shoes and jacket, a signal is sent to your car instructing it to automatically start the engine and set the climate control to a temperature appropriate to the prevailing weather conditions – which the system already knows. Your front door unlocks and opens as you walk towards it. You step outside and approach your car, the house door closes behind you, lighting and heating switch off, the alarm sets itself and the car door opens for you. Your favorite music is already playing as you settle into the drivers seat. The car door closes, the seat belt automatically deploys and you instruct the car to drive you to the store. En route your car is communicating with traffic signals and with other vehicles enabling it to adjust the route as it goes and increasing the efficiency of the journey. On arrival at the grocery store parking lot, the empty parking bays communicate with the car, which automatically parks itself in the space closest to the entrance to the store.
In this IoT enabled world, there is no need for shopping lists as your internet-connected refrigerator and cupboards maintain a database of goods you have in stock and communicate with your shopping cart as you traverse the aisles. The cart alerts you when you pass an item that you need to buy. As you select your purchases, the cost is automatically tallied for you and a running total provided on a readout on the cart. Even the payment is synchronized, as the cart communicates directly with your bank to take an instant payment at the point that you wheel the cart out of the store – no need to wait in line for the next free register.
What could possibly go wrong with the IoT?
The rapid commercialization of IoT technologies causes great trepidation for the average information security professional and the security community in general. The main flaw in this Utopian vision is its’ reliance on the Internet we know and love, which was developed using much older, cumbersome technologies and designed for slower data transmission and smaller volumes. Today, Internet connected devices are far more advanced and able to exchange large quantities of data, almost instantaneously. The essence of the Internet has changed very little, continuing to support the sharing of knowledge and information, but the number of sharing devices is increasing exponentially putting significant strain on the underlying technology of the network. Liken this to trying to build a skyscraper out of materials that were originally meant for a hut.
The other significant risk in the ever expanding world of IoT is its’ inherent ability to harvest and exchange data from a plethora of devices that may hold sensitive and private information on individuals and enterprises alike. Such Personally Identifiable Information (PII) is the very stuff that the Bad Guys are seeking to exploit. The security industry has recognized the potential benefits and dangers that come with the growth of the IoT but, guess what, so have the Bad Guys. Consequently, we are now seeing criminal groups creating malicious applications to exploit any software or hardware vulnerabilities associated with these data harvesting devices and the individuals or businesses that use them. With the Internet of Things we may well be entering the Danger Zone.
Imagine the potential benefits for the cyber-criminal if they can intercept the data being collected during a simple trip to the shops, for example:
- Knowledge that your home is empty.
- Your routine (people are creatures of habit).
- Your interests.
- Your payment/bank account details.
The world of IoT relies on dynamic and developing technologies that are often compromised by numerous flaws. Such flaws can be exploited by the Bad Guys each and every day. For example, according to one cyber security company, a new cyber-threat is discovered every three seconds and an astonishing 176 new threats per minute in the last quarter of 2016. Given the predicted increase in the volume of connected devices (8.4 million in 2017) this level of cyber threat is only likely to grow.
What can be done?
The benefits of the IOT revolution are enticing and significant, but in deploying these new technologies there needs to be a strong focus on integrated security by design and security awareness. Global governments may well choose to enforce the need to maintain the security of IoT devices through robust legislation but companies will also need to invest in overcoming the shortfalls in the availability of qualified security professionals.
From a business strategy standpoint, IoT deployment could offer companies significant competitive advantage and opportunities to develop and diversify their business models. However, such strategies need to be considered in the light of the overall impact on security management and compliance with standards such as PCI Data Security Standards (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA).
About Welford Management & Consulting
Welford is a multi faceted technology consultancy providing advice, support and solutions for companies in a wide range of industries. We develop and execute strategies for our clients in three practice areas: Security & Compliance, Business Strategy & Support and Sales & Marketing Automation. Our expertise comes from a team of individuals who focus on one area of our practice disciplines so that we can bring the necessary skills and experience to the business challenge or opportunity that you’re currently facing.
In the Security & Compliance practice we help assess your current level of risk related to the sensitive customer information that you may hold within your organization. This may be payment card information, personal health information or data on European citizens that fall under the requirements of the General Data Protection Regulation (GDPR) which becomes law on May 25th, 2018. We develop and execute strategies to address your data security requirements and support the implementation of the technologies and processes that help reduce the likelihood of you suffering a damaging and expensive data breach.