- Security TWENTY
- Women in Security
We need a fundamental shift in approach to moving the burden away from consumers having to secure their internet-connected devices and instead ensure strong cyber security is built into consumer Internet of Things (IoT) products and associated services by design. So says a report on IoT by the Department for Digital, Culture, Media and Sport (DCMS).
In a foreword to the report, Margot James, Conservative MP for Stourbridge and Minister for Digital and Creative Industries, backed the take-up of IoT. She said: “However, we must ensure that individuals are able to access and benefit from connected technologies safely, confident that adequate security and privacy measures are in place to protect their online activity. The recent Mirai and WannaCry attacks, which affected core public services and used internet connected devices to breach private companies, reinforce the need for effective cyber security as part of our digital economy.”
For the 37-page report, ‘Secure by Design: Improving the cyber security of consumer Internet of Things, visit the DCMS website. It warns that consumer security, privacy and safety are being undermined by devices’ vulnerability; and that the wider economy faces an increasing threat of large-scale cyber attacks launched from large volumes of insecure IoT devices.
Mark James, Security Specialist at cyber product company ESET said: “Security by design is a fantastic concept when delivered correctly; it helps the user understand the requirements and encourages them to make the right decisions to ensure their safety and the safety of others is maintained at all times. One of the biggest issues for the consumer is knowing they need protecting and just as important, understanding what they need protecting from. It’s not always easy to get this across, so, if we can implement measures from the ground up to take some of the decisions away from the user and have them “auto” or “default”, then achieving that security will certainly be much easier. Two of the biggest issues we face with IoT is default passwords and keeping the product actively maintained and updated- if we could just solve those two issues we will certainly be a lot closer.
“So many compromises happen because either the default username and password has not been changed or vulnerabilities have not been patched – the end user often does not understand the need to close these massive fissures in IoT security, so if given the choice will often go for price over security. Of course, for all this to work we have to still maintain the ‘plug and play’ culture and that could be a stumbling block- ensuring something is easy to install, reasonably priced and secure at the same time may not be as simple as it sounds.”
David Emm, Principal Security Reseacher at Kaspersky Lab, welcomed the report, but added that UK Government must set the standards for developing security practices for IoT devices. “We’ve all come to expect that everyday objects – from children’s toys to furniture – come with certification marks indicating that they are physically safe, but developers of smart devices do little to secure them, rarely release firmware updates, and don’t explain to users that they should change their passwords. Software should be updated automatically with clear guidance for customers.
“While it could be argued that voluntary standards are weaker, since it leaves room for irresponsible manufacturers to ignore good practice, by no means are they necessarily meaningless. If the government allows manufacturers who comply with the standards to display a clearly-visible mark (like the British Standards Institute kitemark), it would provide an easy way for consumers to tell if something is safe, putting manufacturers who don’t comply at a disadvantage. Security should be implemented by design – as IoT devices are manufactured for global consumption, one government’s guidelines, unless they have teeth, won’t solve the problem entirely.”
And Andy Norton, director of threat intelligence at anti-malware product company Lastline, said: “These new measures move the burden of security for IoT devices away from the user towards the vendors of the technology. The 13 guiding principles are very similar to existing best practices in managing cyber risk. These measures in combination with NIS Directive, Cyber Essentials and GDPR are driving cyber risk towards a technical solution rather than reliance on human or user activity.”