Q: For entrepreneurs going into the Internet of Things, what do they need to worry about? How do they keep their product safe?
A: One of the biggest security challenges we will face over the next five years is how to secure the 50 billion devices coming online. Between the exponential growth of connected devices and the introduction of hyper-connectivity with 5G, the bad actors will have an unprecedented ability to leverage an extraordinarily large attack surface at previously unrealized speeds.
In the middle of 2014, HP published research that basically suggested that most IoT device manufacturers were foregoing any meaningful security and instead solving for time to market and convenience. In the report, they looked at the top 10 devices deployed in consumers' homes and found that they had on average 25 vulnerabilities each. Most of those vulnerabilities were things that any security practitioner would address before taking the device to market such as not using encrypted communications, not requiring a password reset and not requiring a complex password, to name a few. I recall being on a panel at IoT conference last year where one of the panelists talked about a connected lightbulb that was broadcasting WiFi passwords in clear text so anyone who detected the lightbulb would be able to easily tunnel into any device connected to the WiFi.
To build trust with the businesses and consumers who will be purchasing your IoT devices, I suggest you consider the following:
Build security in from the beginning.
Hire a cybersecurity expert or seek consultation to ensure you are building products that are secure before you take them to market. Your worst nightmare would be waking up one morning to find your IoT devices were shown to be easily hacked or have a serious exploitable vulnerability.
Take privacy seriously.
Don’t bury the privacy statement deep in a EULA and be sure to use simple language that clearly reflects what information you will collecting and what you will be doing with the data.
Only collect the data you need what you say you’re going to collect and only do with it what you say in your privacy statement.
Plan for the worst.
Even if you have built a secure IoT device and are adhering to your privacy statement, you still may find your device and company being the victim of an attack. You should build and practice a crisis communications plan should your company’s IoT device be a negative media headline.
Security practices, architectures and solutions are constantly evolving especially as they relate to IoT. Stay informed of what’s going on the space and use the latest, best known methods and techniques.
Research was recently published saying that 45 percent of those surveyed said concerns over online privacy and security stopped them from using the Internet in very practical ways. I believe for the full potential of the Internet and IoT devices to be realized, we must demonstrate both can be properly secured and that we can protect the privacy of those who use them.