Secure by design

With the security of connected devices continuing to be an ongoing concern for manufacturers and consumer alike, where does the responsibility lie?

What once was the plot of creative Hollywood blockbuster movies is now becoming a reality. The Internet of Things (IoT) continues to grow as consumers, businesses and governments recognise the benefit of connecting devices to the internet, be it smart phones, wearable devices or smart homes. It is estimated that the number of connected devices in use by 2020 will be 30 billion, one in five cars will be connected vehicles in the next five years and by 2025 the IoT is predicted to have a global economic impact of US $11trillion.

The growing presence of connected devices is increasing efficiency in homes, workplaces and other areas of life that have seen the introduction of the IoT. Despite the expansion of connected devices however, there remains a number of consumers who are reluctant to adopt the IoT due to security concerns. 

 One of the reasons for this is that security often remains an afterthought when developing a device that, once in the hands of the consumer, may contain vulnerable software, making the consumer an easy target for being hacked.  

Manufacturers are lagging

Considering security and data privacy continue to have an impact on the way consumers engage with a device (to buy or not to buy), one argument is that manufacturers should be increasingly migrating towards the early installation of necessary security measures. According to ISACA’s 2015 IT Risk/Reward Barometer, 72 per cent of IT and cybersecurity professionals say manufacturers are not implementing sufficient security in Internet of Things devices.  

The allocation of security testing often sits further down the development chain, meaning security vulnerabilities can be overlooked or ignored when a product launches to market. This is especially true if the testing could delay the product hitting the market. But security and data privacy concerns are critical issues for manufacturers to consider before commencing development.  

Some manufacturers argue about the costly and untimely setbacks caused by having to address security requirements early in the development cycle, and while this may be a valid argument from a marketing perspective, building security controls into systems from the get-go is far more cost-effective than adding them later in the development cycle or worse after deployment, when the vulnerability becomes public.

Consumers' trust

Consumers are generally under the impression that a device is manufactured with their security and privacy expectations in mind. ISACA’s research found that 66 per cent of UK consumers are confident they understand and can control the security on the Internet of Things devices they own. But should that trust be eroded, not surprisingly, consumers in the US, UK and Germany revealed that more than two-thirds would drop a company after it had been subjected to a hack.

According to cybersecurity and IT professionals surveyed for ISACA’s Risk/Reward study, device manufacturers are falling short. More than seven in 10 don’t think current security standards sufficiently address the Internet of Things and believe that updates and/or new standards are needed. Privacy is also an issue; 84 per cent believe that device-makers don’t make consumers sufficiently aware of the type of information the devices can collect. 

So the argument at play contests whether consumers should be more wary of their security and privacy when dealing with connected devices, or whether the manufacturers should be increasing their standards and developing connected devices that do not have any security flaws.  Despite this conjecture of the onus being placed on the manufacturer, consumers also have a part to play in ensuring a device is secure enough for their needs. 

Would you buy a bag with a broken zipper or a car with no locks? No. The same can be said for connected devices. If secure code is not installed in the first instance, a device may not function as can be expected. 

Who is responsible?

Security is everyone’s responsibility – from the developer to the manufacturer and right through to the consumer.  While there is a need for developers to be competent in secure coding, or work with security experts to go through testing procedures as the development occurs, consumers also need to take responsibility for their security by using a device in a secure manner, such as applying adequate password protection, ensuring secure Wi-fi connections and encrypting all sensitive information.  

Consumers can also vote with their wallets and only buy devices that can be automatically updated with security upgrades and that enable social media sharing to be opt-in. For example, currently, most smart home devices are fixed function devices, meaning once they are shipped and installed they cannot be upgraded to add security. This leaves home owners vulnerable to hacks if there are holes in the security design and software. As I’ve mentioned, software security is often overlooked as a business imperative. However, there are a number of manufacturers that are aware of the need to build secure products before they’re launched to market – thus limiting the potential for data breaches.  And what sets these manufacturers apart from those that don’t look to build secure devices from the get-go?  

They understand the need to be secure by design. It’s not just about patching up vulnerabilities after the system is created, but building software from the start with the right security components to ensure that security is intrinsically embedded and not left as an afterthought. 

A range of cybersecurity topics such as this will be discussed at the inaugural CSX Europe 2016 Conference in London, featuring keynotes, workshops and sessions from renowned global security experts.

Image source: Shutterstock/deepadesigns
Dr. Christos K. Dimitriadis, Chair of the BoD,
ISACA

ABOUT THE AUTHOR

Dr. Christos Dimitriadis is group director of Information Security for INTRALOT. He has served ISACA as a Director for four terms, chaired the Knowledge Board, the External Relations Committee, the COBIT for Security Task Force, and has been a member of the Relations Board, Academic Relations Committee, Journal Editorial Committee and Business Model for Information Security Workgroup.