Secure By Design

With the security of connected devices continuing to be an ongoing concern for manufacturers and consumer alike, where does the responsibility lie?

IoT Security - secure by design?The Internet of Things (IoT) continues to grow as consumers, businesses and governments recognise the benefit of connecting devices to the Internet, be it smartphones, wearable devices or smart homes. What once was the plot of creative Hollywood blockbuster movies is now becoming a reality. It is estimated that the number of connected devices in use by 2020 will be 30 billion, one in five cars will be connected vehicles in the next five years and, by 2025, the IoT is predicted to have a global economic impact of US $11 trillion. (McKinsey, 2015)

The growing presence of connected devices is increasing efficiency in homes, workplaces and other areas of life that have seen the introduction of the IoT. Despite the expansion of connected devices, there remains a number of consumers who are reluctant to adopt the IoT due to security concerns. One of the reasons for this is that security often remains an afterthought when developing a device that, once in the hands of the consumer, may contain vulnerable software, making the consumer an easy target for being hacked.

Considering that security and data privacy continue to have an impact on the way consumers engage with a device (to buy or not to buy), one argument is that manufacturers should be increasingly migrating towards the early installation of necessary security measures. According to ISACA’s 2015 IT Risk/Reward Barometer study, 72 percent of IT and cybersecurity professionals say manufacturers are not implementing sufficient security in IoT devices.

The allocation of security testing often sits further down the development chain, meaning security vulnerabilities can be overlooked or ignored when a product launches to market. This is especially true if the testing could delay the product hitting the market. But security and data privacy concerns are critical issues for manufacturers to consider before commencing development.

Some manufacturers argue about the costly and untimely setbacks caused by having to address security requirements early in the development cycle and, while this may be a valid argument from a marketing perspective, building security controls into systems from the get-go is far more cost effective than adding them later in the development cycle, or worse, after deployment, when the vulnerability becomes public. A recent US study identifies that almost 50 percent of consumers say that a company is unable to win back their confidence after it had lost personal data. (Humphries, 2014)

Consumers are generally under the impression that a device is manufactured with their security and privacy expectations in mind. The 2015 IT Risk/Reward Barometer study also showed 65 percent of Australian consumers are confident they understand and can control the security on the IoT devices they own. But should that trust be eroded, not surprisingly, more than two-thirds of consumers in the US, UK and Germany revealed that they would drop a company after it had been subjected to a hack. (Centrify Consumer Trust Survey)

According to ISACA’s Australian cybersecurity and IT professionals surveyed for the study, device manufacturers are falling short. More than seven in 10 do not think current security standards sufficiently address the IoT and believe that updates and/or new standards are needed. Privacy also is an issue; 90 percent believe that device makers do not make consumers sufficiently aware of the type of information the devices can collect.

So the argument at play contests whether consumers should be more wary of their security and privacy when dealing with connected devices, or whether the manufacturers should be increasing their standards and developing connected devices that do not have any security flaws.

Despite this conjecture of the onus being placed on the manufacturer, consumers also have a part to play in ensuring a device is secure enough for their needs. Would anyone buy a bag with a broken zipper or a car with no locks? No. The same can be said for connected devices. If secure code is not installed in the first instance, a device may not function as can be expected. Security is everyone’s responsibility – from the developer to the manufacturer and right through to the consumer.

While there is a need for developers to be competent in secure coding, or work with security experts to go through testing procedures as the development occurs, consumers also need to take responsibility for their security by using a device in a secure manner, such as applying adequate password protection, ensuring secure Wi-Fi connections and encrypting all sensitive information. Consumers also can vote with their wallets and only buy devices that can be automatically updated with security upgrades and that enable social media sharing to be opt-in. For example, currently, most smart home devices are fixed function devices, meaning once they are shipped and installed they cannot be upgraded to add security. This leaves home owners vulnerable to hacks if there are holes in the security design and software.

As mentioned, software security is often overlooked as a business imperative. However, there are a number of manufacturers that are aware of the need to build secure products before they are launched to market – thus limiting the potential for data breaches. And what sets these manufacturers apart from those that do not look to build secure devices from the get-go? They understand the need to be secure by design. It is not just about patching up vulnerabilities after the system is created, but building software from the start with the right security components to ensure that security is intrinsically embedded and not left as an afterthought.

Garry Barnes
Garry Barnes is practice lead, Governance Advisory at Vital Interacts (Australia). He has more than 20 years of experience in information and IT security, IT audit and risk management and governance, having worked in a number of New South Wales public sector agencies and in banking and consulting. ISACA (isaca.org) helps global professionals lead, adapt and assure trust in an evolving digital world by offering innovative and world-class knowledge, standards, networking, credentialing and career development. Established in 1969, ISACA is a global non-profit association of 140,000 professionals in 180 countries.