Changing the security mindset for the IoT

Manufacturers need to change their mindset when it comes to the IoT

When a product is built, the manufacturer typically has a life cycle in mind in regards to how long a consumer will ideally use the device. For example smartphones are something that users typically swap out every two years and auto-mobile manufacturers will look at car buyers trading in their car every five or so years.

The problem with this though is that humans don’t act the way these types of purchasing patterns presuppose. One would only need to look at a used car dealership or peruse eBay to find an after market for cars or phones.

This secondary sales market is also something that is going to become more important for manufacturers to think about as the IoT grows. Why you ask? Well, since many devices have a finite timeline in a company’s sell-sheet, they are not supported after their ‘expiration’ date and usually, that’s exactly the time when they bypass the trash and head straight to the after-market.

Chances are that those who buy these IoT devices from their previous owners could very well end up with something that’s not longer protected from any vulnerabilities that would be found afterwards. And there certainly would be a lot of those vulnerabilities, as both white hat and black hat hackers are constantly searching for them.

We have already seen many devices connected to the Internet fall susceptible to a hack due to software that is used to connect to the web, which ironically is also past it’s prime.  Compromised items range from baby monitors to air conditioners to cars. Sadly, if something connects to the web, chances are, it can be hacked. And there’s even an IoT search engine to make it happen faster.

Overall, we also know that cyber-security usually comes last when companies plan out their products and find ways to make them connected. Something has to give, right?

According to Todd Inskeep of Booz Allen Hamilton, companies need to start looking at building trust when it comes to these devices and their connectivity. At this year’s RSA Conference, he gave a presentation entitled Cyber Wars: The Trust Awakens.

Screen Shot 2016-03-11 at 2.22.02 PM

During the talk, he discussed the need for a fundamental shift in product development. All stakeholders should be involved in this shift, from concept to R&D to marketing and sales, along with everyone in between. The reason for this is that without accounting for the worst case (should it happen) you lose customer trust.

In theory, companies would operate similar to the military, which prepares in advance for all of the scenarios that can play out. They also operate systematically with their process. To put it into marketing speak, their brand is operating as a cohesive unit.

While change is something that we can all agree needs to happen with companies thinking of security, let’s be honest — it could take a long time. So what can you do?

When it comes to looking at purchases, you will always have choices as to what suits your need for any given moment. For connected devices, I’d implore you to ask yourself the following questions:

 

1. Do I really need to have this connected to the web?

2. What is this company’s reputation on security?

Tips