Does consumer risk outweigh business risk?

Bitcoin keeps climbing, online holiday shopping sets a new record, political stories fill headlines and another data breach or hack will remind some people of why they hate technology. Equifax, Uber, TIO Networks, the list grows daily and…oh look, another replacement credit card came in the mail today.

In response to the continuous news coverage and increased threat landscape, lawmakers and industry groups propose new standards and compliance requirements to rein in risky behavior. Vendors develop new solutions to combat evolving risks, security practitioners like myself discuss strategies to improve security and extoll the virtues of good cyber hygiene, and universities and certification bodies announce new programs to train and educate a workforce for the rapidly growing cyber field. Gartner predicts cumulative global security spending will hit the trillion-dollar mark over the next five years.

While it is wonderful to see an increase in security investment, nearly all of the focus is on business at a time when most devices belong to consumers.

Large organizations and governments fall victim to attacks daily, despite increased investment in layered defense strategies, solutions, and regulatory changes designed to reduce risks. Smaller organizations have even fewer resources and skilled personnel available to combat common threats. The average consumer with a $50 endpoint solution? Good luck. I hope you backed up your data somewhere safe.

What about me? 

For most of my adult life, security has played a significant role in my career and daily responsibilities. Creating compliance roadmaps, implementing solutions, monitoring and assessing, reporting, investigating, remediating, and nearly any other action verb tied to security – all have a place in my experience toolbox. Surely, someone like myself runs enterprise-grade solutions at home, right?

No. No end of life or gray market gear, no racks of repurposed servers heating a coat closet, no multi-layered, polymorphic hydra of pre-market security awesomeness humming in the background. I use consumer grade and open source stuff. I cannot afford enterprise solutions any more than the next person can. I also have a family that needs access, and I already catch enough grief over complex account passwords. Sophisticated attack defenses? I back up my data.

This should be a truly frightening issue, not merely for consumers, but for the businesses and governments whose resources are continuously exposed to these devices and users. According to Gartner, consumer devices, everything from phones, tablets, and laptops to refrigerators, home theater systems and smart lighting, make up 63% of all Internet of Things (IoT) solutions today.  With that trend expected to continue, and the overall number of devices projected to double before 2020, consumers present the largest target surface. Unfortunately, these same individuals have the least capable defense against the threats.

To improve consumer product security, we will need a security breakthrough at the lowest common denominator, a solution or series of solutions where consumer devices become low risk targets. Smart IoT devices should be incapable of becoming a future bot network, or mining blockchain currencies, or launching denial of service attacks. Educating people will not be enough. The average person should not have to worry about information security or how cyber solutions work anymore than he or she should be expected to know about how airbags, navigation or lane departure systems operate while driving a car.

This puts the problem back into the hands of industry and governments. Some entity must create standards, establish communication and processing protocols related to safety, security, and privacy, and impose limits on use and capabilities. Think of it as an Underwriters Laboratory label for consumer product security – the seal of approval means that a device only operates within certain parameters, and nothing more.

Few people would tolerate a world where homes had no doors, windows, locks, or security protections to prevent burglaries or intrusions. How many would accept handing credit cards to mobsters as they entered restaurants? Who would load all of their personal data and photos onto thumb drives and hand them out to strangers in dark alleys? These examples may sound ridiculous, but are these descriptions all that different from the digital jungle we find ourselves travelling every day?

Whether these future solutions employ machine learning or artificial intelligence, blockchain capability, or some new form of trust-based baselining technology is irrelevant, the need to do something is real. The key is for researchers to find the right pathways and discover the innovations that will make it possible. The alternative is living in an era of amazing technological capabilities marred by increased business and consumer risks and costs, along with lower levels of confidence, security, privacy and trust. What will it take to force us to change direction?