Welcome to the SecAware blog

I spy with my beady eye ...

22 Jul 2015

Taking the shine off IoT security

Various information security pundits are bleating about the evident lack of security in the Internet of Things, as if we should be both surprised and aghast. Get real guys!
Consumers* don't buy IoT products because they are secure.  They buy them because they are shiny.
Security is not shiny. It is an afterthought, at best. Worse still, since making IoT products secure means they cost more to manufacture, security is an anti-goal at this time. Companies attempting to sell relatively expensive, relatively secure IoT products now are unlikely to establish the market presence they need to make a success of the business, unless they are foresighted enough to forgo short-term success in favor of a (long-term, risky) strategic investment. 

Meanwhile, there is a premium on being first to market**.

In due course, when insecure IoT products have infiltrated our lives and IoT incidents are both frequent and severe enough to become genuine concerns (which they aren't yet), then IoT security will become something that consumers expect and value, to some extent. 

Doubtless IoT security standards will be released in due course, with marketing benefits for suppliers that claim compliance but also risks for those whose products cannot be made compliant or who follow standards that subsequently flounder.

Suppliers already in the IoT market today also have the option of offering their customers 'security enhanced' upgraded products in due course. Upgrading is a soft-sell to existing customers, locks them in, and further enhances the brand, provided the migration is properly handled - again, there are risks such as being perceived to have been supplying woefully insecure products.

The driver to all this, just in case you missed it, is business not security.

So, security pundits, your challenge is to make a sound business case for IoT security instead of bleating on about it. Stop crying wolf and start persuading IoT suppliers that it is in their commercial interests to offer secure products. For example, what does "secure" actually mean in this context? It's not nearly as obvious as it might appear.

Alternatively how about educating and persuading consumers to pay more attention to their information risks and the security in the IoT products they have in their sights. Explain the issues in terms they can understand. Prompt them to ask the right questions of their IoT suppliers. Warn them about the incidents they are likely to suffer (not those desperate worst-case scenarios) if they ignore the issue.

Whining lmely at the IoT suppliers is pointless.


* I'm talking here about retail consumers i.e. home/personal users of IoT things. The situation is somewhat different in the business domain ... or at least it should be once the information risks relating to IoT are (a) identified, (b) assessed and evaluated, and (c) treated. Does anyone even have a policy on IoT security as yet? I'll be writing my first one next month, along with a stack of IoT security awareness materials for delivery to NoticeBored subscribers at the end of August. 

**  Sony was once renowned for creating new market segments, being first to market with innovative products such as the Walkman. Oh how the mighty have fallen!

No comments:

Post a Comment