Why the IoT Industry Must Prioritize Privacy

By James Carder

Companies that offer IoT products often prioritize functionality, availability and accessibility, but security and privacy must be more than mere afterthoughts.

Smart devices are revolutionizing the world—especially as millions have shifted to sheltering in place, depending on technology more than ever. However, these connected devices are not always secure, as witnessed by recent incidents from Ring, Amazon Alexa and The Snoo Smart, an internet-connected bassinet. Nonetheless, as the Internet of Things (IoT) makes our lives more convenient, adoption will continue to rise, with IDC estimating there will be 42 billion connected devices by 2025.

Companies producing IoT products often prioritize functionality, availability and accessibility, with security and privacy as afterthoughts, implementing the bare minimum to check the box. These businesses should prioritize user safety, security and privacy, as the increased usage will create a rise in cyberattacks targeting these devices. Furthermore, privacy can lead to a competitive edge, with 87 percent of consumers willing to take their business elsewhere if they do not trust how a company is handling their data.

Prioritizing Convenience Over Security
While this technology makes daily tasks a little bit easier by reminding users of a chore or calling their mother for them, consumers do not realize that devices are always listening. For instance, thousands of Amazon employees listen in to conversations, without users' consent, via the Amazon Alexa. What's more, the data is not anonymized and can be traced back.

While Amazon claims this information is used to improve the customer experience, it leaves customers vulnerable to a hacker eavesdropping on these personal conversations, which may allow them to commit fraud or leverage information for ransom. Users can disable this setting, but there is not a 100 percent guarantee that Alexa will not listen in by mistake, or that an attacker won't turn the feature back on. Additionally, Amazon discourages users from disabling the setting, warning that new features may not work as well if it's turned off.

Regulations Should Address Privacy
There are multiple reasons why companies have not viewed IoT security as a priority, but the underlying issue is a lack of regulation. States have started implementing their own privacy laws, such as the California Consumer Privacy Act (CCPA), Nevada Senate Bill 220 Online Privacy Law and the Maine Act to Protect the Privacy of Online Consumer Information, but that is not enough since it only pertains to companies that do business in those states.

The proliferation of technology in our business and personal lives connects people's personally identifiable information to their devices. Without regulation, IoT devices are severely lagging in security standards, with many common devices, like Google Nest, implementing basic security measures, such as two-factor authentication, for the first time in February 2020. Companies must not wait for states to enforce privacy legislation and should instead take a proactive approach to IoT privacy and device security to engender trust with their customers.

What Businesses Need to Protect Themselves
With billions of devices connected, including personal or business devices with corporate data on them, IoT manufacturers have let privacy and security slide. While privacy is extremely important, manufacturers will likely not make changes since that would cause a delay in getting the product to market. Because of this, businesses that use IoT devices must ensure the correct security is in place to compensate for the lack of security from the manufacturer and to avoid an incident, such as a hacker infiltrating the network. Below are just a few solutions that companies should implement to protect the customer.

Visibility matters: Security programs are only now starting to bring operational technology and sensors into the scope of securing businesses. As the landscape of these devices exponentially increases, the attack surface also increases. Visibility is critical, especially as those types of devices start comprising more of the technology landscape. Threat hunting is easier with full visibility as it provides security teams with the ability to identify suspicious activity, providing real-time insights and analytics.

Time is of the essence: Businesses should protect IoT devices throughout all phases of the lifecycle, as detection and response early on can be the difference between a catastrophic breach occurring or not. For example, monitoring the cyber-health and behavior of a device can alert of any patches or updates needed. Today's threat landscape, combined with the challenge of managing the growing number of devices, means it is increasingly important that businesses have tools in place that are equipped to detect and monitor for any threats throughout.

Governance is key: Recently, the Cyberspace Solarium Commission brought up the possibility of an IoT law that would subject devices to "reasonable security measures" and make them compliant with basic security protocols, such as NIST. As more privacy laws will likely go into effect, companies need to ensure they meet the thresholds required by regulation and law. The systems must be classified with appropriate controls placed around them.

In addition to the innovation the IoT brings, it also makes lives better, healthier and more complete, and it impacts businesses. The market is booming in multiple verticals, such as healthcare, and there is money to be made. Vendors must get ahead of the explosive growth and implement changes to have the proper security measures in place in order to grab the largest share.

Furthermore, companies must be vigilant about implementing security since the connected devices used within their businesses might not be protected. Consumers may not realize the security issues, but organizations have the responsibility to put consumers' privacy at the top of their priority list.

James Carder is the chief security officer and VP of LogRhythm Labs. He has more than 20 years of experience working in corporate IT security and consulting for Fortune 500 companies and the U.S. government. At LogRhythm, he develops and maintains the company's security governance model and risk strategies; protects the confidentiality, integrity, and availability of information assets; and oversees threat and vulnerability management, as well as the security operations center. He also directs the mission and strategic vision for LogRhythm Labs' machine data intelligence, threat and compliance research teams. Prior to joining LogRhythm, James was the director of security informatics at the Mayo Clinic, where he had oversight of threat intelligence, incident response, security operations and offensive security.