Who is Responsible for IoT Security?
As we discussed way back in part 2 and part 3 of this series, when consequences aren't immediately apparent, responsibility isn't immediately taken. Without an incentive to take action, most IoT device manufacturers simply won't.
Who, then, is responsible for IoT security, if not the manufacturer? Is it the consumer? The enterprise? The government? In theory, the answer is some combination of all four. But in practice, the answer is a bit tougher to swallow. It's you
The IoT Security Responsibility Shift
We already talked about the many vulnerabilities created by the race to market, and by the lack of security expertise among manufacturers who are beginning to add networking and software stacks to connect their products. Devices are intended to be plug and play, set it and forget it. Therefore, default credentials are an issue. But network security for IoT is an issue, too, meaning you can't lay all of the blame on the device manufacturer.
"It’s a shared responsibility model," says Yolonda Smith, of Pwnie Express an Outpost24 company. If you buy a Bluetooth app-connected stuffed animal, "you should look on the box and ask, 'how is this data stored? Do I have control over that data once it's stored?'" Some of the responsibility is the manufacturer's: the setup process should require you to change your username and password as soon as the device is powered on, for instance. "No one expects a consumer to ask if their device is talking to a certain server. But they do have a role in protecting their own data," says Smith.
"Consumers need to think of their data like it's money. That’s certainly how vendors and attackers alike treat it. They should protect their social security number like it's gold; ask if their phone number is absolutely necessary to get access to an application. If more consumers think of it that way, I think they’ll be much more considerate and careful about the tradeoffs they’re willing to make for the sake of a convenience or service." Smith suggests that voting with dollars is the security mentality to adopt, referring back to the CloudPets and Target examples: everyone expected these businesses to take monstrous financial hits when personal data leaked from their products and stores, but the outcome did not quite match the expectation. However with new regulations since, including GDPR and CCPA the financial implications can be catastrophic - up to 4% of turnover for GDPR breaches.
"Exposure is a big incentive and a major driver of cultural change," says Smith. "Target did ultimately adopt each and every security control recommended post-breach. They regularly walk people through their cyber fusion center to show people how their data is being handled. They recognized they could take it and bury it or they could say, this is what we can do to improve. And that’s the incentive for the manufacturers."
When IoT devices are introduced into corporate environments, the purchaser or the security team has the ability and responsibility to say, "what is this device communicating with, and what's the context of that communication?" This information has major implications for revenue generation, and that is what takes precedence in a corporate environment. With IoT security risk expanding beyond just data loss, safety and revenue are put at risk.
Even if employee data is stolen, many corporations won't change their purchasing policies or security parameters. But if the data happens to include a valuable IP? The incentive to protect is stronger.
That's generally the responsibility breakdown: Device manufacturers should care about life and safety — vulnerabilities in their devices can't be responsible for deaths; corporations should care about revenue generation and availability; consumers should care about privacy.
Mostly, though, the end responsibility to protect the IoT devices and connections in your presence and therefore, yourself, your company and your dollars, falls on consumers, manufacturers and corporate security teams. Why, then, is the responsibility really just your own?
Because every single one of us at our company has to be hyper aware of the unseen vulnerabilities in our wireless environments. If even just one individual is under-informed (a nurse, for example, using an unsecure bedside monitor on a hospital network) the results could jeopardize safety, revenue generation and privacy.
Policy creation goes a long way toward promoting awareness. Serious consequences do the same. The first should come first, so we can all mitigate the second.
For more on IoT security and wireless detection and how to fill the gaps as your business becomes ever more connected, visit our wireless security page.