According to the 2014 Hewlett-Packard Internet of Things Research Study, 70 percent of connected products analyzed did not use data encryption when establishing network connections. Yet, that’s a standard that has been in place for websites transmitting personal data for nearly 20 years.
If you work for a company that is banking on the promise of the Internet of Things, that kind of statistic should keep you up at night. This poor state of security protections in IoT devices threatens to undermine the enormous economic opportunity that the IoT represents—and the lack of encryption is only one of the many weaknesses in shipping connected products.
With an expected 50 billion devices connecting to the Internet by 2020, an exponential number of vulnerable entry points are being created across myriad business sectors. Enterprise and infrastructure security incidents can affect millions of people and impact a company’s brand reputation and bottom line.
From hacked routers to smart refrigerators sending spam e-mail, no sector or industry is immune from attack. A couple of high-visibility breaches will spread distrust of the entire IoT ecosystem.
The Domino Effect of Vulnerabilities
In certain cases, the compromise of a single device—maybe one to which an attacker has physical access—could lead to data leakage that could compromise other devices remotely. To ensure that this is not possible, it is important for devices to use hardware-protection mechanisms, where available, to safeguard critical digital keys.
Consider a connected heating, ventilating and air-conditioning (HVAC) system. Such a system communicates with a back-end server that may relay information from a mobile device or communicate user-specific usage patterns. If the system does not mandate complex encryption keys, any data that travels to and from it will be insecure, and can thus be tapped and used to gain access. One compromised HVAC system could then lead to an attack on other buildings’ systems, enabling the attackers to ascertain when a building is unoccupied, or even snoop on other networks or devices. Yes, it is possible to turn an HVAC system into a spy.
And about those hacked refrigerators: While you may think an attack would lead to nothing more than spoiled milk, gaining control of a device behind a firewall could enable attacks on more important devices on your network, and could even lead a nefarious party to financial or company data. (And it’s not just a concern for homeowners. Does your office have a fridge in the break room?)
Security Is a Journey, Not a Destination
So how do you secure your connected business in an insecure world?
The only way to prevent breaches is to build security into a device—and the infrastructure that connects and serves it—at the outset. This may include encryption, secure boot, hardware protections and cryptographic authentication, at a minimum. Security cannot be an afterthought. Instead, it needs to be treated as a continuous process that is agile, adaptable, timely and managed throughout a product’s lifetime.
This doesn’t have to be complicated and time-consuming. If you think carefully about the security implications at each step of the product-design process, it is entirely possible to engineer in safety and trustworthiness.
An Ounce of Prevention…
First and foremost, start at the design phase. It’s very difficult to add security after the fact.
Next, make sure you budget for security—including after the product launches. Security is an ongoing effort, and you’ll need to provide updates for the lifetime of your products. Security maintenance may not be free, but it is critical. Damage to your company’s reputation is even more costly.
You should be prepared to repel a range of attacks, such as an intruder gaining physical, local or direct network access; “man in the middle” (MITM) attacks between a device and network; or attacks on host servers. Attacks may first be deflected via preventative measures built into a device’s design, and then with continuous vigilance enabled by software patches and remote updates.
Finally, your product must be able to be updated securely and without user intervention. Users can’t be relied upon to perform this task with the required urgency; every device should be capable of being updated remotely and automatically.
It’s Dangerous to Go It Alone
To implement security into your connected business, you don’t have to go it alone. There are some options to consider that will help ensure the security of your products and enterprise. Whether you task an in-house team or rely on outside consultants or a platform, remember that they will have to be on board well after the launch.
Platform managers have dedicated specialists who continuously update security patches and instructions. Just as a software-as-a-service (SaaS) provider offers continual updates and fixes to users, a secure platform monitors and seamlessly patches your product on an ongoing basis, with minimum disruption to the end user.
As the IoT expands, you will need to quickly ensure that your business and products stay relevant. But when it comes to security, a more deliberate approach is essential. The viability and success of your products—and business—depend on it.
Hugo Fiennes is the CEO and co-founder of Electric Imp.