IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Time for vendors to get off the fence with IoT security

It shouldn't take a government incentive to implement security-by-design

fence

At the end of January, the National Cyber Security Council (NCSC) announced it would establish a £70 million fund to 'design out' cyber threats, and conversely, 'design in' security for IT systems and hardware. It's thought the fund could subsidise research into improving security using AI or integrated security chips.

It's a bold move by the government, and provides a vital incentive for manufacturers to create new ways of ensuring their products are 'secure by design'. The truth is, however, that all over the world, vendors must step up and take more responsibility for the security of their products in the field. Crucially, they must help integrators and resellers ensure devices are properly installed, managed and regularly updated throughout their lifespans.

That said, while government interventions are welcome, the fact that they are deemed to be necessary is a sad reflection on the state of the technology industry in general. We have to get our act together - and fast.

Too many high-profile security breaches are related to zero-day flaws in Internet of Things (IoT) equipment and application software. Last year, hackers made headlines when they breached a database in a Las Vegas casino by gaining entry to the network via a thermostat.

Botnets made up of compromised IoT devices are growing in size, and becoming more dangerous. Some of this growth is down to new techniques for attacking devices, but much of this is also down to known vulnerabilities remaining unpatched. This is despite the wealth of information out there, and a multitude of well-publicised botnet incidents. Based on the evidence, things will get worse before they get better.

The next step is to re-define cybersecurity processes

The most important thing for technology vendors to do is to embrace the principles of security-by-design. It's not enough to bundle off-the-shelf components with off-the-shelf operating systems: full risk assessments for any new IoT product must be done at the very start of the design process. Developers must mitigate any threats, and a clear programme of support should be devised to ensure new firmware can be delivered to protect against emerging vulnerabilities.

Right now, there's still too much emphasis on how quickly a product can hit the market, and not enough on the long-term welfare and protection of customers and their assets. As vendors, we must also improve our communication with the rest of the channel, and the way that we provide education and awareness around weaknesses created during the installation process. We can design securely, but are we doing enough to ensure that equipment is properly configured? Have we empowered the channel with the right tools to test and verify that the addition of IoT devices connected to a network hasn't created an unexpected vulnerability somewhere else?

Mitigating human nature

We also have a role to play in end-user education, and helping organisations develop a culture of cyber security through staff training and awareness programmes. After all, no matter how secure we make our equipment, human nature will always be a weakness.

That means equipment doesn't just need protecting at the time of installation. What happens, for instance, when the network is expanded further down the line, or when new users are onboarded? Are we providing the right materials to ensure that future expansions are properly configured too, and that the correct levels of threat monitoring are in place?

A recent report by Swiss cybersecurity firm Gemalto suggests 58% of UK businesses would be unable to detect an IoT-related security breach. The onus is therefore on vendors to help slash that number. None of this is easy, and the government's efforts are a welcome recognition that vendors can't achieve full security-by-design by themselves. The IoT ecosphere is too big, and too important, not to make us all reliant on partners in one respect or another.

Steve Kenny is industry liaison for architecture and engineering at Axis Communications

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Accelerating security and success for MSPs with automation
Sponsored

Accelerating security and success for MSPs with automation

25 May 2022
Schneider Electric unveils Grid Operations Platform as a Service on Microsoft Azure
cloud computing

Schneider Electric unveils Grid Operations Platform as a Service on Microsoft Azure

24 May 2022
T-Mobile unveils new 5G Advanced Network Solutions
Network & Internet

T-Mobile unveils new 5G Advanced Network Solutions

24 May 2022
Google unveils new Assured Open Source Software service
open source

Google unveils new Assured Open Source Software service

18 May 2022

Most Popular

Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022
Open source packages with millions of installs hacked to harvest AWS credentials
hacking

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022