REPOST: Recognising the need for greater regulation for the IoT
Thu, 08/01/2019 – 04:39
(This article was originally published in TEISS)
John Grimm, Senior Director of Strategy and Business Development, nCipher Security, says we need to take a proactive approach, creating and embedding a layer of protection at the very heart of the IoT.
Despite the Internet of Things (IoT) quickly becoming an integral part of most consumer and business interactions, it has yet to reach its full potential.
While the positives are undeniable – greater connectivity, the ability to optimise processes, and a gateway to new opportunities – the risks can’t be ignored. A combination of increased entry points, limited governance, and a lack of security by design have all resulted in IoT devices becoming a prime target for hackers.
Rather than continuing to deploy these devices with a blind eye to security, we need to take a proactive approach, creating and embedding a layer of protection at the very heart of the IoT. Only then can organisations and consumers truly unlock the benefits that connected devices have to offer.
A demand for standardisation
It’s not often that we associate greater regulation with increased opportunity, however, when it comes to the internet of things, enforcing stricter parameters can drive the best results.
Given the potential for hackers to infiltrate networks and gain access to vast amounts of information, steps must be taken to guarantee that a device, along with the data it generates and collects, can be trusted. After all, if you don’t have confidence in the data or even the device itself, how can you make business decisions using them?
With consumers in particular still prioritising performance and accessibility over security, it’s down to manufacturers to play a major role in standardisation across the industry, ensuring that each and every device has security capabilities embedded from the point of creation.
The more that manufacturers dedicate to incorporating security features early on, including making users aware of what they are and how to use them, the less likely the devices will be compromised later down the line.
Putting plans in place
Recognising this need for enhanced regulation, the UK Government recently published its consultation on proposals for mandatory requirements to ensure smart devices adhere to basic levels of security. Handing greater accountability to device manufacturers and introducing a new labelling system to indicate the presence of basic security features, the consultation signals a positive step in the right direction.
However, some of the recommendations are still dependent on variable factors – for example a user may choose a weak password to replace the default, or a manufacturer may go out of business and stop delivering security updates to its devices.
The consultation followed a voluntary Code of Practice launched in October of last year, to help manufacturers boost the security on internet-connected devices such as smartwatches, virtual assistants and toys. Tech companies, HP and Centrica Hive were the first to sign up to the code, promoting the UK as a global leader in efforts to strengthen IoT security.
More to come
While it’s important that security is being enforced through regulation, a certain level of accountability also lies with the devices users themselves, especially across the enterprise.
It is essential, therefore, that businesses take further steps to ensure the information collected by devices can be encrypted, and that digital signing is used to certify the authenticity of software updates, helping to prevent the introduction of malware.
By creating a unique identity that can be authenticated when a device attempts to connect to a gateway or central service, each device can be tracked throughout its lifecycle. Should any devices begin exhibiting unexpected behaviour, their privileges can be revoked and they can be removed from the network altogether.
Through establishing a root of trust across all devices, your authentication system can leverage it and reduce the risk of unauthorised devices.
Implementing these various security procedures may be seen as an obstacle by some, but if implemented correctly, perform a vital function. As organisations and governments continue to work to address the security challenges that are holding the IoT back, education will remain key.
With greater transparency, guidelines and best practices, those interested in utilising connected devices will be able to make more informed purchases, and make good decisions when putting those devices into operation as well.
*** This is a Security Bloggers Network syndicated blog from Drupal blog posts authored by john-grimm. Read the original post at: https://www.ncipher.com/blog/repost-recognising-need-greater-regulation-iot