The Internet of Things (IoT) will be the source of more data breaches, as we see mass adoption of connected devices, in consumer products and the Industrial Internet of Things (IIoT), according to business continuity and disaster recovery firm, Databarracks.
The cyber firm Trend Micro found flaws in two of the most popular IoT protocols with hundreds of thousands of exposed public-facing IPs uncovered by its study. Databarracks found from its recent research that 57 per cent of organisations are concerned about the security of IoT.
The UK Government published a Secure by Design report in March 2018 and introduced a Code of Practice for consumer IoT security. A Code of Practice is a positive step, yet not enough to address the issue of IoT security, says Peter Groucutt, managing director of Databarracks. He says: “The content, guidelines and recommendations in the Code of Practice are excellent. It addresses the most fundamental cyber security practices in order of criticality and importance. But the scheme doesn’t prohibit non-compliance. We should take inspiration from countries such as the US and Thailand in seeking to make these requirements legally enforceable.
“Expert estimates vary in total quantity, but agree we’re now seeing sharp, hockey-stick growth in the number of connected devices. A lack of diligence and care now will lead to trouble later. Our lack of regulation means we see instances as serious as insecure children’s smartwatches. The Code of Practice will be adhered to by the diligent parties in the IoT supply chain, but it won’t prevent less committed companies favouring profit over security and pushing insecure products to market. The same company that produced these smartwatches was also found to be making insecure video baby monitors earlier this year.
“We often talk about digitalisation and digital transformation in business. From banking to healthcare, more of our lives are digital and online. There is a real difference between the relationship we used to have with technology and the world of IoT. As users, we were more involved with our desktop computer, installing antivirus software and making decisions about how we use it. With IoT devices, we are far less involved, we have less control over settings and we have many more devices to manage. Changes must be made to make the makers of these devices more responsible.
“The Code of Practice is currently only for consumer devices such as health trackers, smart home assistants and children’s toys and monitors. We recommend extending this reach.
“IoT devices aren’t just found in the consumer world. They are used on corporate networks which are only as strong as their weakest links. For example, earlier this year it was revealed that a casino was hacked via a thermometer in a fish tank. We advocate making the Code legally enforceable which is thankfully something the government is already considering and is an approach supported by several cyber experts. There is the argument that government interference might limit the UK’s ability to compete with other less regulated markets. But device security is now so fundamental that better regulation could be a competitive advantage and differentiation point for our manufacturers, service providers, developers and retailers.”
