Security and the Internet of Things – are we repeating history?

The Internet of Things (IoT) refers to the networking of endpoint products and objects that can be accessed via the Internet. The objective of this level of networking is to make our every day experiences more streamlined and efficient. Such an evolution is a logical progression in an increasingly networked world that favors optimum performance.

However, as we head toward an even more interconnected existence, this raises a very pertinent question: given the difficulties and various success rates of implementing cybersecurity practices in our professional and personal lives, are we ready to secure IoT devices and products?

[ ALSO ON CSO: Welcome to the Internet of Things. Please check your privacy at the door. ]

Our cybersecurity landscape is rife with well-publicized breaches committed by cyber criminals and cyber espionage actors. They have proven remarkably resourceful, innovative, and persistent in exploiting known and unknown vulnerabilities.  Considering that a 2014 HP report revealed that 70 percent of IoT devices were vulnerable to hacking, it appears that the bad guys will have even more opportunities to gain unauthorized access in pursuit of their nefarious activities.

There have been many discussions among cybersecurity experts regarding the security challenges that IoT presents. Gartner forecasts that 4.9 billion connected things will be in use in 2015, up 30 percent from 2014, and will reach 25 billion by 2020. The additions of these devices will make our networks more complex, and in turn, increase the greater potential impact that can occur as a result of a breach. Nevertheless, despite the recent events of cybersecurity failures, we seem committed to adopting IoT technology without having a security plan in place. 

The IoT era brings with it more security questions than answers. Among the more pressing topics that keep coming up include but are not limited to:

• Privacy Concerns: One lesson we have learned from smartphone technology is that it collects information on you, often without your knowledge or consent.  According to one source, sensor technology on smart devices collects 30 percent of the world’s data. Similarly, IoT devices will do the same and when aggregated, can potentially provide a profile of the consumer. Who will have access to this data, where will it be stored, and how will it be secured are questions that need to be answered.
• Unwanted Surveillance: As IoT devices are integrated into every aspect of our lives and devices “talk” to one another, there will be an increased opportunity for unwanted surveillance. There have been recorded incidents where intruders have compromised Internet accessible home devices. In April 2015, baby monitors were hacked allowing the perpetrators to control the camera and speaker functions. Any devices with a visual or audio capability are potentially vulnerable to being taken control of if hacked.
• Securing Your Network:  Whether on a home or enterprise level, every IoT device connected to the network needs to be monitored and patched accordingly. Any “lag time” in performing even the most basic of cybersecurity hygiene greatly increases your risk to hostile threat actors. Considering that many breaches are the result of faulty patch management practices, this is a real concern.

If IoTs are integrated into a personal or enterprise network, they represent potential entry points for malicious actors. No longer will attackers need to focus on targeting individuals or trying to exploit their computers, laptops, or mobile phones, IoT will provide them an opportunity to breach seemingly innocuous devices and potentially gain the same level of access. 

And herein lies the two-edged nature of IoT – the very technology that is being positioned to touch every aspect of our lives is the same technology that if exploited can pose a grave security threat to our information. If unregulated access is a serious security concern with Bring Your Own Device into the workplace, this threat is magnified substantially as more devices are invariably introduced into the network.

It’s often said that the current Internet was built and developed for performance and usability and not with security in mind. Our cybersecurity reality certainly reflects this contention; a 2014 report estimated financial losses to the world economy as a result of cyber crime and cyber espionage at $445 billion, a sobering figure that is indicative of our inability to address the threat in front of us.

Before we fully embrace the IoT, it might be best to pause and consider how these devices can be built with security in mind so we can prepare for the future threat.  Right now, technology is headed toward the IoT with the goal of transforming our lives via efficient, interconnected communications and data transfers. Failing to incorporate the necessary security applications prior to the full adoption of these devices will result in us making the same mistake again.

Intelligence may be built into devices, but common sense is not. There is a reason why people who don’t learn from history are doomed to repeat it. We need to break that cycle now.