CC BY 2.0 medithIT

How are companies ensuring the security of IOT devices?

The Internet of Things (IoT) is one of the most exciting developments of the internet age, and it’s proving to be increasingly popular. In fact, Gartner predicts that over 20 billion IoT devices will be in use worldwide by 2020. For those unfamiliar, IoT refers to a system of interconnected computing devices, mechanical and digital machines, or objects that have the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction. It’s how everyday devices like cars, thermostats, watches, and even coffee makers are connected to each other — and you. These IoT devices offer pure, frictionless convenience.

The possibilities for IoT devices, much like the internet itself, are endless. But with all of those possibilities comes risks. The more connected we are, the more points of vulnerability there are for bad actors to hack and steal data. Because IOT devices are so connected, it’s no wonder that there are rising concerns from consumers about how susceptible they are to attacks. When an IoT device is attacked, it’s not just the one device that’s compromised — but a user’s entire network. With more and more potentially sensitive info stored on these networks, those breaches have the potential to be very serious.

It’s imperative that companies that produce IoT devices understand these concerns and take steps to mitigate the risks to their consumers’ personal data. There are a few best practices suggested for companies who want to ensure that their IoT devices are safe.

Security from the start

The best security is security that’s implemented before a device is released to the market. It’s always better to have top notch security built in from the start rather than trying to fix it retroactively. That means that developers should be building top-of-the-line security measures into the product before it’s even released. This might mean having a red team audit the devices before they’re commercially released. Or, companies could require that users personalize their credentials at setup so they aren’t just using the default — a common vulnerability that’s often exploited by hackers. Another measure is to require https if there’s web access. Smarter security means design that anticipates and safeguards any vulnerabilities from the very beginning.

Securing data and physical devices

One important step for security is to be cautious about data. Companies that collect and analyze the data themselves should invest in preventative measures against hacking and data theft. It may be necessary to invest in third-party providers for IoT device protection such as cyber security companies that specialize in data security and breach prevention. If they sell the data, it’s essential that they thoroughly vet the recipient and only sell to reputable institutions with robust security themselves.   

Another is to make sure that the devices themselves are secure and can’t be tampered with. This kind of endpoint hardening can help block potential intruders for accessing the data, especially when devices or equipment is often left unattended. Robust endpoint hardening will also make it harder for bad faith actors to buy and tamper with a device, weaponizing it for nefarious purposes. Companies who are interested in this kind of security should lock down common vulnerabilities, like open TCP/UDP ports, open serial ports, open password prompts, unencrypted communications, and radio connections.

Transparency with consumers

A Economist Intelligence Unit (EIU) study found that an overwhelming majority of consumers are concerned about the security of their data and want control over how it’s used: over 90 percent say they want to control what personal information is automatically collected. And if those rights aren’t respected, 92 percent of respondents support increasing punishments for companies that violate consumers’ privacy.

One way to get consumers to buy in is to be transparent about how the IoT device in question will collect data, how that data will be stored, and what options users have to control that. That means companies not only should develop privacy policies that are clear about exactly how they collect and use data, and make those policies accessible to users. No more deliberately confusing language in the terms and conditions! Customers who see a company making a good faith effort to explain how and where their data is being used for will appreciate the transparency.

Conclusion

IoT devices aren’t going anywhere, and neither are concerns about security. While legislative and policy measure currently lag behind the rapidly developing technology, that won’t be the case for long. As more and more IoT devices become part of everyday life for an increasing number of people, concerns over data and privacy will only increase. Companies that wish to build consumer buy-in and remain compliant for years to come will begin to invest in security best practices today.