Internet of things products are small, networked and unfortunately have almost always little or no security. Sometimes this is down to a lack of willingness by the manufacturer but it is also partly due to the nature of the product – small and light also means that these devices have few resources for complex security features such as encryption and packet inspection. This leads to vulnerabilities, numerous attack vectors and ultimately to a bot device which can be abused by almost anyone. Following the latest large-scale attacks that primarily use IoT devices as a digital army there is a loud demand from those who want more legislation and governments to get involved. In a hearing before the Committee on Energy and Commerce of the US House of Representatives, the security guru Bruce Schneier stated that “catastrophic risks” would arise through the proliferation of insecure technology on the Internet.
In 2017, 69% of all applications will reside in the cloud according to Cisco. As we rely increasingly on benefits made possible by further advances in Industrial Internet of Things (IIoT) and mobile devices, it’s a statistic that will continue to rise. The challenge for enterprises today is how to protect data as it streams constantly between physical mobile/IIoT devices to virtual repositories in the cloud and back again. Until corporate IT departments fully manage and stay on top of security, large breaches will continue to make the headlines. Statistics revealed in the Ponemon Institute 2016 Global Cloud Data Security Study show there is still much to do. The study found that nearly half (49%) of cloud services in the enterprise are outside corporate IT’s domain, while around 47% of corporate data stored in cloud environments are not managed by the IT department.
The trend towards greater state surveillance has become even more obvious since Edward Snowden’s revelations. Governments frequently justify such invasions of their citizens’ privacy as counterterrorism or anti-pedophile measures. In recent weeks, two unmissable examples of state interference have been hurried through including an amendment to Rule 41 of the Federal Rules of Criminal Procedure in America and the Investigatory Powers Bill by Theresa May. Both laws permit or legalize massive invasions of privacy. Nobody is questioning the presence of a criminal threat – whatever it may be motivated by. However changes to legislation will weaken the security of many IT products which is already under heavy fire as demonstrated by current events such as the Google hack or attack on Telekom routers in Germany.
Security researchers investigating the Yahoo data breach believe that a failure to use proper encryption is one of the prime reasons behind the hack. If this is right, then many more organizations may be putting customer data at risk. A report by Gemalto and the Ponemon Institute found 92 percent of businesses encrypt just 75 percent or less of their sensitive and confidential data when it is sent via the cloud. The proportion of respondents that encrypt data stored in the cloud is even lower at 40 percent. Worryingly for customers, it is their data that is the most common form of information left unencrypted. This places customer data at considerable risk of being viewed or even harvested by hackers. A simple way of protecting cloud data on its journey from device to cloud storage is to encrypt the whole process using a VPN tunnel.
Mobile banking apps are set to revolutionize how we bank. According to KPMG, the number of mobile banking users globally is forecast to double to 1.8 billion over the next four years. In the UK regulators have announced new rules to let customers access details of their entire finances through a single mobile phone app by 2018. In the US mobile banking industry, technology has yet to overcome fundamental trust issues but the idea is starting to take off among financial services consumers. The banks and financial institutions are working hard to make their mobile apps as secure as possible. User behavior meanwhile has some catching up to do. For example, connections to free and unsecured Wi-Fi are open and vulnerable to fraud. To reduce security risks, it’s a good idea to use a virtual private network (VPN). This is a tried and tested way to secure the connection and encrypt all data transferred between the mobile device and the bank.
At last, influential policymakers are slowly becoming aware of the damages unsecured IoT devices can cause. Recent attacks on high profile targets, exploiting cameras and routers, have attracted a lot of attention. Some of the issues will not likely be solved until manufacturers improve the security of their systems. However, many attack vectors could be eliminated easily with appropriate precautionary measures. Currently, the Federal Office for Information Security (BSI) is drafting a new module to address IoT device security. Although it does not refer to specific manufacturers or technologies, the proposal includes concepts for securing IoT devices so that they cannot be manipulated or accessed without authorization to compromise data and IT security within an organization or to target other organizations.