“Regulation is the only way to control IoT cyber security threat” asserts Databarracks

The Internet of Things (IoT) will be the source of more data breaches as the ongoing mass adoption and rapid growth in the number of connected devices continues, both in terms of consumer products and the Industrial Internet of Things (IIoT). That’s the view of business continuity and disaster recovery firm Databarracks.

The scale of vulnerability of the IoT was recently highlighted by Trend Micro, which found flaws in two of the most popular IoT protocols with hundreds of thousands of exposed public-facing IPs uncovered by the company’s study. Additionally, recent research by Databarracks found that 57% of organisations are now concerned about the security of the IoT.

The Government has been proactive in addressing IoT security risks, publishing the Secure by Design report back in March and introducing a Code of Practice for consumer IoT security.

However, Peter Groucutt (managing director of Databarracks) argues that, while the introduction of a Code of Practice is a positive step, it’s not enough to sufficiently address the issue of IoT security.

“The content, guidelines and recommendations in the Code of Practice are excellent,” he stated. “It addresses the most fundamental cyber security practices in order of criticality and importance, but the scheme doesn’t prohibit non-compliance. We should take inspiration from countries such as the US and Thailand in seeking to make these requirements legally enforceable.”

Groucutt continued: “Expert estimates vary in total quantity, but everyone agrees that we’re now seeing sharp growth in the number of connected devices. A lack of diligence and care now will lead to trouble later on. Our lack of regulation means we see instances as serious as insecure children’s smart watches. The Code of Practice will be adhered to by the diligent parties in the IoT supply chain, but it will not prevent less committed companies from favouring profit over security and pushing insecure products to market. The same company that produced the smart watches was also found to be making insecure video baby monitors earlier this year.”

Digitalisation and data transformation

Peter Groucutt

Peter Groucutt

Groucutt went on to state: “We often talk about digitalisation and digital transformation in business. From banking to healthcare, more of our lives are digital and online. There’s a real difference between the relationship we used to have with technology and the world of the IoT. As users, we were more involved with our desktop computer, installing anti-virus software and making decisions about how we use it. With IoT devices, we’re far less involved. We have less control over settings and we have many more devices to manage. Changes must be made to ensure the makers of these devices are more responsible.

The Code of Practice is currently only applicable for consumer devices such as health trackers, smart home assistants and children’s toys and monitors. Databarracks recommends extending its reach.

“IoT devices are not just found in the consumer world,” observed Groucutt. “They’re used on corporate networks which are only as strong as their weakest links. For example, earlier this year it was revealed that a casino was hacked via a thermometer in a fish tank. We advocate making the Code legally enforceable which is, thankfully, something the Government is already considering. This is an approach supported by several cyber experts.”

In conclusion, Groucutt informed Risk Xtra: “There is the argument that Government interference might limit the UK’s ability to compete with other less regulated markets. However, device security is now so fundamental that better regulation could prove to be a competitive advantage and a differentiation point for our manufacturers, service providers, developers and retailers alike.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts