The Internet of Things (IoT) will be the source of more data breaches as the ongoing mass adoption and rapid growth in the number of connected devices continues, both in terms of consumer products and the Industrial Internet of Things (IIoT). That’s the view of business continuity and disaster recovery firm Databarracks.
The scale of vulnerability of the IoT was recently highlighted by Trend Micro, which found flaws in two of the most popular IoT protocols with hundreds of thousands of exposed public-facing IPs uncovered by the company’s study. Additionally, recent research by Databarracks found that 57% of organisations are now concerned about the security of the IoT.
The Government has been proactive in addressing IoT security risks, publishing the Secure by Design report back in March and introducing a Code of Practice for consumer IoT security.
However, Peter Groucutt (managing director of Databarracks) argues that, while the introduction of a Code of Practice is a positive step, it’s not enough to sufficiently address the issue of IoT security.
“The content, guidelines and recommendations in the Code of Practice are excellent,” he stated. “It addresses the most fundamental cyber security practices in order of criticality and importance, but the scheme doesn’t prohibit non-compliance. We should take inspiration from countries such as the US and Thailand in seeking to make these requirements legally enforceable.”
Groucutt continued: “Expert estimates vary in total quantity, but everyone agrees that we’re now seeing sharp growth in the number of connected devices. A lack of diligence and care now will lead to trouble later on. Our lack of regulation means we see instances as serious as insecure children’s smart watches. The Code of Practice will be adhered to by the diligent parties in the IoT supply chain, but it will not prevent less committed companies from favouring profit over security and pushing insecure products to market. The same company that produced the smart watches was also found to be making insecure video baby monitors earlier this year.”
Digitalisation and data transformation
Groucutt went on to state: “We often talk about digitalisation and digital transformation in business. From banking to healthcare, more of our lives are digital and online. There’s a real difference between the relationship we used to have with technology and the world of the IoT. As users, we were more involved with our desktop computer, installing anti-virus software and making decisions about how we use it. With IoT devices, we’re far less involved. We have less control over settings and we have many more devices to manage. Changes must be made to ensure the makers of these devices are more responsible.
The Code of Practice is currently only applicable for consumer devices such as health trackers, smart home assistants and children’s toys and monitors. Databarracks recommends extending its reach.
“IoT devices are not just found in the consumer world,” observed Groucutt. “They’re used on corporate networks which are only as strong as their weakest links. For example, earlier this year it was revealed that a casino was hacked via a thermometer in a fish tank. We advocate making the Code legally enforceable which is, thankfully, something the Government is already considering. This is an approach supported by several cyber experts.”
In conclusion, Groucutt informed Risk Xtra: “There is the argument that Government interference might limit the UK’s ability to compete with other less regulated markets. However, device security is now so fundamental that better regulation could prove to be a competitive advantage and a differentiation point for our manufacturers, service providers, developers and retailers alike.”