The IoT is quickly incorporating more and more products. But are we sure these new products are secure?
After hackers tested their ability to remotely control a Jeep in 2015 -- and were able to shut down the engine while it was on the freeway -- the issue of security for IoT devices is on everyone's mind. Fortunately, some of the top minds in tech are already thinking about the problem.
Clockwise from top left: Alan Romans, Ian Davies, Ashley Saddul, Leon Carelli, Neill Feather, Tim Maliyil, Jere Simpson, Jim Walsh, Danny Boice, Bishnu Nayak. All photos courtesy of the individual members.
Below, ten technology executives from Forbes Technology Council offer their suggestions for IoT companies on ways to improve or change their security practices to better serve consumers using these products.
1. IoT Encryption and Authentication
In healthcare, there are vital signs monitors, portable x-ray and ultrasound, call systems, etc. Almost every vendor software I've seen is lacking proper security. They need to focus on a few things. First, encryption: This is an easy fix. Just wrap all communications/storage in SSL or another algorithm. Second, authentication: This is somewhat harder to fix, especially with IoT devices, but maybe biometrics will help. – Alan Romans, Ashland Health Center
2. Security as a Foundation
With cyber terrorists increasingly searching for sensitive information by hacking into the IoT, security design should be the foundation of the product. This means developing an industry standard methodology that places security at the beginning of the process and not the end. The Open Web Application Security Project (OWASP) contains some best practices to address this. – Ian Davies, Skiltrek Staffing
3. Encryption
Do not make it easy for hackers to break into your system. Follow industry standards, protocols and best practices when collecting and exchanging data. Everything must be done over secure connections. Never store personally identifiable customer information in order to mitigate the impact of a security breach. Offer the ability to trace activity via logs to help with diagnostics. – Ashley Saddul, Recruiter.com
4. Good Informants
An easy change that greatly serves consumers using the IoT is clear information and timely notifications. Make sure that literature clearly explains how a product connects with the IoT, including what, if any, protections are provided for that interaction (i.e. encryption). Provide email notifications for system state changes or when portals are accessed from new locations. It's simple, yet effective. – Leon Carelli, Locks Law Firm
5. Up-Front Attitudes About Risks and Practices
A consumer is always accepting some level of risk with an IoT device. Manufacturers need to educate potential consumers about what information they are collecting and how it is transmitted and shared. This will allow consumers to make an informed decision to either buy the product and accept the risk or forego that purchase. –Neill Feather, SiteLock
6. 360-Degree Security Enforcement With Complete Transparency
Security must be executed during the entire life cycle of the product starting from development and deployment to operations. Best-in-class security practices need to be adhered to for AAA, data encryption, privacy, compliance, etc. The providers must be transparent with consumers regarding security ramifications for every touch point including how the user data is stored, processed and used. – Bishnu Nayak, FixStream Inc.
7. Security as a Priority
The big reason IoT security is lacking so much right now is because the average consumer is not placing a high value on security. As a result, many companies do not invest enough resources into developing a more robust security because that is not going to help their product sell. They simply invest in the minimum requirements to get their product on the shelf. – Danny Boice, Trustify
8. Improved Security and Quality Practices
A malfunction in an IoT endpoint can lead to real-world consequences, like a furnace switching itself off on a cold night. Quality practices like "test in deployment with fast revert" are common for many highly redundant cloud-deployed systems. When dealing with IoT, malfunctions and security issues in the end-to-end system can have health/safety consequences even for everyday products. – Jim Walsh, GlobalLogic
9. Eliminate Personally Identifying Information
At netpure we are very careful not to tie any user behavioral data to personally identifying information that could be exploited. IoT companies must take extra steps to ensure there is no connection. – Jere Simpson, netpure™
10. Products Designed With Security in Mind
You want to get a working product to customers, but even the most talented software engineers need guidance on best practices to keep a system secure. A security professional needs to be involved with the product design. Trivial matters can become big problems. An example is a recent BMW vulnerability where the cars could be compromised since they weren’t using SSL -- an easily avoidable error. – Tim Maliyil, AlertBoot
