Many years ago, when the Internet became popular, the Belgian government hired us to set up a site to educate consumers and businesses on security risks and measures to take, in order to use the Internet safely. It was part of a major awareness campaign.
Consumers lack awareness about the potential risks associated with emerging connected devices (Gary Davis, Intel Security)
Today, there are still quite some people who use the Internet without the needed security controls. Sure, they have some software but that’s about it and often it’s not even updated. Still, you cannot compare today with those early days. In general, consumers are more aware of the risks of the Internet, social networks, etc.
The same goes for businesses where we finally see holistic security approaches (the only viable approaches are by definition holistic) getting more and more attention. But, as you’ll see and read there is still a lot of work to do. Moreover, with the holiday season approaching fast and recent IoT vulnerabilities and DDoS attacks in mind, it’s time to pay attention to it, certainly in the context of connected devices and the Internet of Things in a consumer context.
Security and data privacy challenges are more critical than ever in human history
Cybersecurity – and data privacy – are no laughing matter. They never have been. But in a data-driven digital transformation economy they are simply critical for the ways we work, consume, do business and live.
You probably know the famous saying that data is the new oil? Well, to quote Deloitte’s Dana Spataru at the IoT Solutions World Congress in Barcelona, end October 2016: “Data is the new oil, and data leaks are the new oil spills”. I would add that not everyone agrees who owns – and is responsible for – the oil.
At the same time hackers and attackers increasingly operate in real cybercrime syndicates and threats are becoming more sophisticated with close to 60% of advanced threats coming in over encrypted traffic, calling for a different cybersecurity approach.
Furthermore, data privacy and personal data processing are increasingly being regulated by governments and supra-national institutes, as is for instance the case with the coming General Data Protection Regulation (GDPR) in the EU and its pretty significant fines and penalties and also with the ePrivacy Regulation.
While attitudes towards data privacy and ethics differ per region and per person, in an age where data – and the value we obtain from it – is the essence of the Internet of Things and where data is a key business asset in a DX economy, expect more initiatives. In the end the task of a government is to protect its citizens and in a digital age this also includes data. No wonder that regulation de facto is a key driver of the security market.
Time to get real about consumer IoT security: rotten apples and the human factor
Of course, industry bodies, local government awareness programs as I mentioned in the beginning and all kinds of associations are working towards enhanced security as well. This certainly also happens in the IoT industry where security initiatives pop up faster than ever.
Just one example of such initiatives, here in the consumer space: the introduction of a new, S2 framework by the Z-Wave Alliance (Z-Wave is a smart home standard) which is mandatory for all vendors who want Z-Wave certification after April 2nd, 2017.
However, let’s face it: not every vendor, certainly if not using standards where security is key to be certified, is as concerned about security as about profit, to say the least. That’s a challenge for the industry. You know the saying about the barrel of apples and the few rotten ones. In the end, and we’ve seen this so often in various areas, regulators step in. No matter how you feel about regulation and regardless of industry initiatives: it’s a public secret that some of those (often cheaper) devices are made by companies that don’t keep into account the most basic basics of security. Yet, there is no way for the average consumer to know and no way of shipping these devices right back to the countries where they come from.
Through 2018, over 50% of IoT device manufacturers will not be able to address threats from weak authentication practices (Gartner)
But, again, with the Internet of Things the stakes are higher, much higher. That brings us to the question: do we need to educate consumers on what to do and what not to do from a security perspective when acquiring specific connected devices and solutions soon?
Are they going to read tests, involving products, as “security in the cloud leader” Zscaler recently did? No. The fact is that there is no guidebook and efforts to educate consumers are of course scattered across companies, associations, governments, you name it. There is no ‘one place to go to’. Maybe it’s not needed or possible, maybe we need regulation instead but we do need something and, preferably, several concerted efforts.
Education on security is crucial in organizations where security is not an afterthought but looked upon from a holistic and end-to-end perspective as it should be in this digital business age.
What’s the first and most essential part of such a holistic security approach? Indeed: educate your people as they are a major cause of security breaches. You can invest in a state-of-the-art security solution with predictive analytics and an embedded security strategy approach but if the human factor is overlooked, then nothing else goes.
The IoT device and IoT security budget challenges at hand
So, what about IoT security? Workers can be educated in the context of an overall cybersecurity strategy but what about consumers? And can you keep the manufacturers of devices who don’t take security into account away? And what about the installed base?
By 2020, more than 25% of identified enterprise attacks will involve IoT, though IoT will account for only 10% of IT security budgets (Gartner)
If we want to realize all this, it’s going to take a long time before we’re there if we ever get there at all. Because here is again another fact from the enterprise world: although Gartner expects that by 2020, over 25 percent of identified enterprise attacks will involve IoT, IoT will only account for 10 percent of security budgets. If it’s not considered important enough in organizations, then why would it be overall? The industry can play a role but it can’t do everything.
Knowing that, also according to Gartner, through 2018, over 50 percent of IoT device manufacturers will not be able to address threats from weak authentication practices, the picture becomes even worse.
It’s probably not a coincidence that, with the 2016 holiday season in mind, associations and vendors are stepping up their marketing and communication efforts to remind us, as consumers, reporters and analysts, that consumers really aren’t educated, or at least confident enough on IoT security and security overall.
Reality check: how consumers feel and behave when receiving/acquiring a connected device
Here are some research data that make the challenge more tangible in a consumer IoT perspective.
According to a press release and new infographic (see below) from McAfee (Intel Security), released at the occasion of the 2016 holiday season, only 42 percent of consumers take proper security measures to protect their new gadgets. And among these gadgets are obviously connected devices too.
From drones to smart home products and other Consumer IoT devices: they are all a risk and not just for the uninformed or uncertain consumer.
By 2018, 16% of the Population Will Be Millennials and Be Accelerating IoT Adoption Because of Their Reality of a Connected World (IDC)
After all, the age of IoT is one of hyper-connectedness. What is certain though is that the consumer is impatient and McAfee found that a whopping 79 percent of consumers start using connected devices within the first day of receiving them. The chart below, based on the press release, shows the discrepancies in consumer awareness regarding vulnerabilities between some ‘older categories’ and some ‘newer’ connected devices.
Moreover, only 42 percent of consumer claim they take the proper security measures and while most consumers realize it is important to secure their devices, 47 percent are certain if they are taking the proper measures to do so.
Depending on the type of device and involved technology it’s also hard to do so within one day. Futhermore, who says that the device can be properly secured to start with if it comes from one of those manufacturers that didn’t take proper precautions?
If you look at some of the most hackable gifts for the 2016 holiday season according to McAfee/Intel Security, you immediately see quite a few are connected devices.
It’s of course not just this holiday season that consumers will buy connected devices. The market is still relatively limited with wristbands, home automation and smartwatches taking the lead (the McAfee research, conducted by OnePoll, also mentions drones as you can see).
According to IDC, by 2018, 16 percent of the population will consist of the demographic cohort we called ‘Millennials’ and that should accelerate IoT adoption.
Add to that the consumer electronics, wearables, home automation (security systems) and other forecasts (watch smart eyewear) and the picture is clear: consumers aren’t going to wait until security challenges are solved, even if they remain a concern.
Do consumers need IoT security “education”?
So, it’s certainly time for action. But the consumer world doesn’t work like those enterprises with high security standards and maturity levels. So the question remains: do we need to educate the consumer (and businesses)? And, if so, who, when, where and how?
Maybe there is no need to inform and educate people on IoT security. Maybe it’s part of a broader, again, holistic exercise to raise awareness about data and security issues in this digital age altogether. Maybe it’s just a waste of time and money.
Unsurprisingly, connected devices remain high on holiday wish lists this year. What is alarming is that consumers remain unaware of what behaviors pose a security risk when it comes to new devices (Gary Davis, chief consumer security evangelist at Intel Security)
It’s obviously a dream that this could happen in a coordinated way just as it is a dream that it is possible to achieve it globally in these geo-political times of change and just as it is a dream that everyone can be educated and, if educated, does the right things. After all, in the business world, the educated, also continue to use applications and devices that aren’t really approved; they always find a way.
Yet, on the other hand, if nothing is done, consumers will 1) continue to struggle with security and 2) continue to shape their perceptions with regards to IoT, let alone connected devices, through media reports with populist messages of the coming IoT-geddon (we did’t invent the term). Moreover, regulators are effectively stepping in.
Still, the more people are knowledgeable, the better. And the more we can move to certifications, tests and getting rid of those rotten apples, the better. Both the industry and consumers, we, have everything to gain when this happens. But the question remains: is it needed, feasible and, if so, who, where, when and how? If you read this far: these are all questions to ponder if you care, while checking out that McAfee infographic below.
The right of information
And here is some additional food for thought: as a consumer I have a right to know and rely on information provided by companies.
If I buy a car and the manufacturer makes statements on the CO2 emission: I need to be able to rely upon that information. It’s the duty of the manufacturer to provide the correct information. If he doesn’t, lawsuits follow and people in the end lose their jobs. I also have a right to buy a smartphone without an exploding battery. And I have a right to buy a product that isn’t hacked the very minute I install it.
Correct product information is a consumer right. In the connected age this should include clear security information.
However, to make those decisions I need to know and I need to be able to hold someone accountable for any damage. Consumer protection laws: they seem to work for the cars and the smartphone batteries, even if the manufacturers have to pay a price. So why not add the right of buying something secure in the context of the Internet (of Things), just as we have the right of buying something secure in the sense that it won’t explode in our face the very instant we plug it in? One common issue between the 3 mentioned examples (the car, the exploding battery and the connected device) is the dimension of speed, profitability and competition. The difference? There are no requirements to provide clear security information in the connected devices market. Think about it.
And here’s a quote from the Intel Security/Mc Afee press release to help you ponder all those questions even more: “Today’s digital world is changing fast, and our reliance on the internet is ever increasing. The recent distributed denial of service (DDoS) attack was carried out by a botnet made up of unsecured webcams and other Internet of Things (IoT) devices, and crippled many popular websites connected to the Dyn domain. It’s important that consumers understand they can help fight these attacks by ensuring their devices are updated and patched, which helps mitigate risks from the latest threats.”
Top image: Shutterstock – Copyright: garagestock – All other images are the property of their respective mentioned owners.