Creating IoT devices with the proper security measures often becomes a back-burner issue for small startup staffs already strapped for cash and rushing to get their product to market.
Smart watches and rings, mattresses that leverage machine learning, a collar that turns your dog into a walking data center — the technologies that were honored in the Best of Innovations category at this year’s CES all had one thing in common. They fall into the ever-growing technology sector called the internet of things.
The aim of nearly all of these technologies is to improve lives by making products and services streamlined and as easy to use as possible for consumers through connectivity. And for enterprises, the data coming off these devices is essential to determining what actionable insights could transform a business. But in the drive to get these products to market, many companies with great intentions are ignoring one major aspect that could stop their success in its tracks — security.
As recently as fall 2016, we saw distributed denial of service (DDoS) attacks bring down connected devices through relatively simple malware code. In its predictions for 2017, analyst firm Forrester anticipates that this year will bring IoT device breaches on a larger scale than ever before. It projects that the biggest targets will be fleet management in transportation, government security and surveillance applications, retail apps that manage inventory and warehouses, and industrial asset management in manufacturing.
The knowledge of the threat exists, so what is stopping companies from taking IoT security more seriously? I recently spoke with IOActive Director of Advisory Services Daniel Miessler, author of the new book “The Real Internet of Things,” and he boiled down the issue into three areas — pressure to increase the speed of bringing products to market, shortsightedness and a lack of qualified security personnel.
Speed Over Security
Getting a product in the hands of consumers is paramount for any tech company, but it imperils their security efforts.
“You make mistakes when you go too fast,” says Miessler. “It’s like that with any product features. The speed to get to market is one reason you forget features.”
Miessler attended CES 2017, and he said while there were a number of really impressive products, many of the companies he talked to worked at a breakneck pace to debut their wares on time. When in a rush, functionality takes precedence over security.
“You have the power and functionality, and it’s in a race with security catching up,” he says. “[Technology] is way, way out front, and it’s accelerating much faster than security, because security has limits on it. The only thing that’s going to get security to catch up is when the functionality goes so far and so fast that it hits something.”
Being Forward-Thinking With Security
Many of the companies inventing these new devices are startups, and while they often dream big, budgeting realities mean that security isn’t at the forefront of their worries, says Miessler.
He anticipates that — like internet and cloud computing before — IoT’s response to implementing security will likely be reactive instead of proactive. That’s because many of these companies are operating on shoestring budgets, only possible through venture capital funding rounds. He says companies that are worried about longevity aren’t thinking about their distant futures.
“It’s not possible to go to someone two weeks from going out of business and say, hey, if you get really popular, you might get hurt by having a security problem. For most, that sounds like an amazing problem to have.”
Unfortunately, a company that had its customers’ data breached likely could still go out of business or face a downturn because of lack of trust from their customers. They are readily giving up their privacy for these convenient connected technologies, says Miessler, and once that information is out there, it’s the proverbial challenge of trying to put toothpaste back in the tube.
“I think that IoT works best when it has all of your preferences,” he says, like fitness bands that store health information and recommend certain workouts or a virtual assistant that knows which credit card a user prefers. “The more data from consumers that IoT has, the more powerful it becomes. People will use it because they get functionality from it, but they don’t consider that personal data goes to the cloud, and it doesn’t come back. What are you going to do to change your height? Are you going to ask for another date of birth or social security number? These things don’t come back. They only go one direction.”
Lack of Skilled Security Staff
Whenever there is a new wave of technology, there is a lack of skilled professionals to fill some niches on the way to market. It’s well documented in big data that there are more open positions than data analysts can fill. For companies in IoT, the same is true for security positions. These people need a blend of skills, including knowledge about devices, ports and over-the-air updates. They also need to be versed in many types of security, like apps, network, application program interface (API) and cloud security. Miessler estimates that a professional with that blend of talent could make between $150,000 and $200,000, which is often what an entire startup staff makes.
For companies that want to address security before it becomes a problem, he recommends searching through information that is readily available.
“There is public information out there that they could consume to try and work into their product and not have an active blind spot,” he says.
And if that proves too difficult, Miessler suggested technology companies should supplement with service companies and get some expertise. Security will likely remain the company’s burden to bare, since consumers will mostly continue to crave IoT devices despite privacy fears.
“We do hear a lot that people are worried and scared about their privacy, but that won’t matter when they see the functionality. They are going to see the connected car and happily turn over their data.”