It’s not difficult to find stories about consumer-goods companies that have introduced Internet-connected products only to suffer either a direct financial loss due to a criminal cyber-attack, or a reputational hit through a white-hat attack publicly exposing serious data vulnerabilities.
Last fall, security researcher Matt Jakubowski showed that he could eavesdrop on a family via Mattel’s Hello Barbie doll, which connects to a home’s Wi-Fi network to enable a cloud-based service that listens to what a child says to the doll and then generates responses. Toymaker VTech suffered an even worse attack, when a hacker showed that he had accessed the names, e-mail addresses, passwords and home addresses of 4.8 million parents who had bought connected toys for their children.
So what should companies that are currently selling or are planning to sell connected products do to ensure the privacy of their customers’ data, and to reduce their own corporate risks? On Wednesday, Jan. 6, a panel of cybersecurity experts explored those questions during a cybersecurity forum held at the Consumer Technology Association‘s annual trade show, CES, in Las Vegas.
Brian Krebs, who writes about cybersecurity at KrebsOnSecurity.com, says manufacturers of consumer goods are under pressure not only to ship new electronic products quickly, but also to add increasingly more features to each iteration. “They then ship the products with those features enabled, while it would be far better to have the consumer enable them,” he says, citing what he considers a common-sense first line of defense to product security, since some consumers would not turn on sensors or radios in those devices unless they needed to do so in order to initiate the services that such devices provide.
Loading a product with features that collect and share data increases what cybersecurity experts call the attack surface—that is, the breadth of digital pathways into the product or the data streams it generates, and through which a nefarious party could compromise the device’s security. So Krebs believes manufacturers ought to be more thoughtful about what features they add to products in the first place, and should not assume that they could add adequate security protections to those devices after they are already in consumers’ hands.
Encryption Is Not a Security Cure-All
When asked to name one of the biggest missteps that corporations make in their approach to product security, Tom Kellermann, chief cybersecurity officer at Trend Micro, a cybersecurity services firm, pointed to an over-reliance on data encryption. If criminals retrieve encryption keys by attaining administrative access, he reminded attendees, “encryption won’t save you.” He and the other panelists recommended a multi-pronged approach that does not rely solely on encryption.
The panelists also advised making priority lists and identifying the “crowned jewels”—that is, the data sources that require the most protection—rather than trying to implement the same level of security across an enterprise and its products, which is not likely feasible or needed.
Conducting regular response drills, which involve perpetuating a simulated attack and then running through the cascade of actions the company would take in order to mitigate the damage from the security breach, is an important practice that many companies fail to perform.
Finally, panelists said that companies should not think that they can make themselves fully immune from all security breaches. Toward that end, Kellermann said, chief marketing officers should allocate resources toward protecting their corporate reputation in the event of an attack, as well. “Sony was just the canary in the coal mine,” he said, referring to the major data breach that Sony Pictures Entertainment suffered in 2014.
A New Cyber School
During the forum, Graham Holdings Co., a diversified media and education provider, introduced CyberVista, a new venture that will provide cybersecurity education and workforce development training. Working with test-preparation and professional education services provider Kaplan, CyberVista is offering training programs aimed at helping its clients to build out the knowledge and skills required to better secure their products and IT systems.
CyberVista’s initial offering, which consists of basic security training for corporate board members and executives, is designed to help these influencers and decision-makers attain a better understanding of cyber issues that affect their organizations. In time, CyberVista says, it also plans to introduce a certificate program for IT professionals.
CyberVista’s advisory board includes Kellermann, and the company sponsored the cybersecurity forum.