Are partnerships more important than standards?
James Wickes, CEO and co-founderat Cloudview
To remain relevant and competitive businesses must embrace the Internet of Things (IoT). However, a significant collateral challenge faced in doing so is managing the torrent of data these “Things” produce.
The security and privacy of “personal” data are key concerns, which is why I believe quality standards in the IoT arena are equally as important as technology partnerships.
There is no denying that collaboration between industry experts will help to bring about the true potential of a connected world, but it will take standards to ensure that all manufacturers provide the levels of security that businesses require particularly in light of the imminent implementation of the General Data Protection Regulation (GDPR).
In creating a competitive advantage, manufacturers naturally focus on differentiating features rather than the security of the product. But, if the same level of innovation went into baking in security at an early stage of product design rather than adding it afterwards, I doubt we would be seeing some of the security breaches and cyber attacks that seem to be appearing with monotonous regularity, says James Wickes, CEO and co-founder at Cloudview.
To address this issue, we are starting to see partnerships form between IoT and security vendors. Earlier this year, Trend Micro announced that it is teaming up with Asus to protect home networks against security threats. We need more collaborations like this, and at an earlier stage of the product design cycle.
However, there also needs to be more of an onus on IoT manufacturers to ensure the safety of the equipment they sell to businesses (just as car makers should ensure their cars are safe) and provide regular patches when security flaws are identified. If this doesn’t happen, we will see an increase in large scale attacks such as the one carried out on Dyn – a DDoS attack executed through a botnet of internet-connected devices (mainly CCTV cameras).
Worryingly, this isn’t happening (or at least not as quickly as it needs to). In the CCTV market, for example, automatic firmware updates are virtually unheard of, and many manufacturers put in software ‘back doors’, which are often subsequently revealed on the internet.
This is why standards are so crucial. The Data Protection Act (DPA), and the upcoming (GDPR), will drive better security and privacy in IoT. For compliance purposes, there will need to be more transparency on connected products, picking out the strong from the weak, and this will help to ensure that the masses of data collected by businesses are not abused.
I would also like to see a KiteMark for IoT security, helping businesses better seek out manufacturers that place cyber security and data privacy at the centre of their proposition.
CCTV systems, for example, are one of the most prevalent IoT product categories but often their data is not securely held. To help comply with the GDPR, the latest cloud-based technology could be used to record, transmit and store data securely, to enable the right people to view pertinent data as and when they need it, and to automatically delete data as soon as it is no longer required.
Such systems can also be configured to record CCTV data only when needed and also have all the required security and encryption necessary to protect data and verifiable audit logs to prove that data was handled, transmitted, viewed and deleted appropriately.
However, not all providers offer this level of end to end service, so organisations still need to take responsibility for ensuring their cloud provider or IoT vendor is compliant with the appropriate regulations. This goes for any IoT-enabled device, not just CCTV.
To summarise, combining technologies such as cloud and IoT as well as partnerships and recognisable standards will be important in developing new, more secure IoT products. But until these reach the market, business users will need to take extra care themselves.
As a minimum, they should:
- ensure that usernames and passwords for connected systems have been changed from the default state to something secure and that they have a firewall in place
- if they are unsure, have equipment assessed and installed by a trustworthy technician
- buy equipment from reputable manufacturers where there can be a comeback if a major product security flaw is subsequently identified
- ask the company they are buying the equipment from whether they will mitigate any losses incurred through privacy breaches or related fines.
The author of this blog is James Wickes, CEO and co-founder at Cloudview
Comment on this article below or via Twitter @IoTGN