IoT is Finally Here, We All Need to Rethink Our Approach to Security

It has been a long time coming, the concept of millions of devices connected via the internet has been talked about for at least 15 years, but the challenge of getting the hardware costs down to the point of insignificance and working with unreliable and patchy connections has meant that it has taken until now for the idea take hold.

While IoT is delivering some undeniable benefits for the way we live our lives and organize our businesses there is a danger that we could be sleep walking into a security nightmare unless we all start to rethink our approach to protecting our selves from the dangers lurking in the dark recesses of the internet.

If we just stop and think about our own homes as one example, it is likely that each member of the family will have a smartphone and probably a laptop or tablet for their own personal use as well at least one connected TV for the family. Then, for increasing numbers of households, there are the smart utility meters, CCTV, lighting and heating systems that can all be remotely controlled using the latest lifestyle apps.

Typically, all of these will be sharing a single broadband connection via a standard router supplied by the ISP, which depending on your provider is likely to have minimal in-built security features, if any at all.

Then, if we consider that the number of people who are regularly working from home increased by more than 800,000 between 2005 and 2014, according to a recent TUC report, and it is estimated that there are now close to five million people who are using the same devices and home network connections for many business related activities as well as online shopping, email, IM, video-streaming and social media activities, the risk of a security breach is growing exponentially every day.

The more security savvy business mandates that employees use secure VPN connections and multi-factor authentication when connecting from outside the corporate network. Also equally savvy are hackers, who target our connected devices themselves as a backdoor way of introducing malware onto critical business servers next time the employee connects their personal laptop to the LAN.

Today even the smallest business is likely to have at least a firewall protecting the internet access point as well as a reasonably robust anti-x software package running on the end-points to maintain some control over what gets into and out of the network. Others invest significant budgets to deploy sophisticated, multi-layered, defense in depth strategies that continually monitor all internal and external traffic for signs of suspect activity that might indicate a serious security breach or a potential data leakage event is in progress.

Yet even with new vulnerabilities being exposed every day, many of these same businesses are happy for employees to operate their home networks with little or no protection from the latest exploits and malware attacks.

To some extent this can be explained by the lack of viable security solutions that are both up to the task or, where they do exist are often too expensive and complex to be set up and configured without the need for some specialist security knowledge, which is thin on the ground.

It is understandable that the major security vendors have, up to now, focused R&D on the corporate network market, but the proliferation of connected devices and the growing availability of domestic high-speed broadband connectivity means that a new market sector opportunity has appeared for managed security service providers that are able to deliver business-class services to the home user.

Ideally the answer would be for operators and ISPs to build more granular security functions into their domestic routers, and maybe they will when they introduce the next generation of devices. But realistically with millions of routers already out there just the cost alone means that this will not be happening anytime soon, at least for existing customers. So this means to ensure the home network does not become the security Achilles Heel for businesses an alternative approach to protecting personal online identities and closing back doors into the corporate LAN is going to be required for some time to come.

The essential components of such a service are starting to emerge in the form of compact, low cost IPS devices that can be remotely monitored and updated. With such devices placed in line between the router and the end-point can it can raise protection to business-class levels not just for a fraction of the cost of standard network security devices that are commonly deployed today but without the need for home owners to become security experts.

What’s needed now is for everyone to wake up to the dangers of rushing into deploying the latest connected gadget and take responsibility for ensuring they do not inadvertently become a soft target for opportunistic hackers.

What’s Hot on Infosecurity Magazine?