In the communications industry we are only too aware of the security problem. We know that it is huge. We know that no company is safe and we know, allegedly, that the Chinese Government cannot recruit hackers fast enough to keep up with the flaws they find in US Government systems.
It is, however, one thing to hack into a payments system, steal credit card details and sell them on the dark web. First, this is not actually life threatening and secondly, once hacked, it is reasonably easy to cancel credit cards and issue new ones. One story we heard over the summer was a bank customer in the US whose credit card was hacked, cancelled and hacked again before the new one arrived. At worst, they were mildly annoyed.
Once security becomes a matter of life and death, the issue becomes much more serious. As guest writers, such as Markus Milsted, tell us, the IoT is that serious, and needs to be secured, now. More so, because the IoT is now becoming visible to people in daily life. People who have not necessarily heard of the IoT, know what you mean when you say ‘you know, your connected fridge or toaster.’ And respond by saying ‘Oh yes. That’s ridiculous.’ Yet, among the stories of fridges, baby monitors and washing machines that are hacked, a whole raft of IoT developments are emerging, which, if hacked, definitely could be the difference between life and death.
For that reason, it seems encouraging that ENISA (the European Network and Information Security Agency) is putting security high on the agenda for its work programme in 2016. It is also comforting that they are concentrating on healthcare, airport safety, and public roads. They need to secure the infrastructure.
This is what might be termed a ‘good start.’
The problem with initiatives such as this (apart from the fact that it is progress by committee) is that the output, the deliverable, is a report. This means that in 14 months time, a report will arrive, explaining in detail just how vulnerable a raft of connected (and semi connected) systems are and making some recommendations.
This does not mean that initiatives like this should not happen. On the contrary, particularly when life, and lots of it, is at stake. But there is now a need for speed. In 14 months time, people will be even more aware of the risks, even more companies will have been hacked and a lot of them will make the headlines. This can only make customers more nervous of buying things that are connected and could easily lead to a back-lash against the IoT. To use a Gartnerism, we could be looking at the trough of disillusionment for the IoT.
We will never get far enough ahead in security. There will always be those who are two paces ahead of the game. But, to back up initiatives such as the ENISA one, business should step up its action plan, both in the manufacture of solutions, and, critically, in education.
The real Achilles heel is still in the fact that management, both senior and less so, are not aware of the risks. Or think that security is someone else’s problem. Those who install systems are still leaving default settings in place and not asking themselves ‘does this system actually need to be accessible remotely?’ And they are doing it because no-one tells them not to, through a lack of awareness and education.
It is amusing to poke fun at some iterations of the IoT. But in some arenas security is quickly becoming a matter of life and death. We need action and resources now, before people say ‘no’ and disconnect.
Recent Comments