29 Dec 2016
Would you sign off on a room nurse performing open heart surgery on you?
Then why do you buy devices that connect to the internet when they’re not built by cybersecurity experts?
Before we open that can of worms, let’s explain what we’re talking about. Today, in just about every home most people own a device that connects the internet. Not just a computer or a phone, but a fitness wristband or a thermostat or even a child’s doll. Just about every product you could want has a version that connects to a network to give the user greater access to information and control.
It’s great for convenience, which means that the consumer (you) will be happy. But whether you know it or not, when you buy Internet-of-Things (IoT) devices you’re trading your cybersecurity for convenience. Every device that connects the internet also connects to every hacker online too. So, every webcam and Fitbit in your home is a doorway for hackers to look into your life.
Now, you might be saying to yourself, “It can’t be that bad. You’re just saying that to scare me.” But remember when we asked you if you would let a regular nurse perform surgery? That’s the same thing that is happening with your IoT devices. The people building them are not cybersecurity experts but just regular engineers, so when they connect to the internet the device are not protected as they should be. A giant market has been created of devices that are poorly protected, which means that even if you wanted to buy devices that were properly protected you would have a hard time finding them.
There is some good news though. There are already security standards for certain industries designed to ensure that everything they make or service they provide is safe for the customer. And these standards could be tweaked to apply to larger manufacturers so that you can know that the devices that you bought for your loved ones last Christmas won’t be an open doorway for hackers into your home. The International Organization for Standardization (ISO) creates information security management standards. Their most popular standard is ISO 27001.
ISO 27001 is an international information security standard designed to fit a wide variety of companies in different industries. For example, ISO 27001 type II is designed to keep cloud service providers secure. There are other types of ISO 27001 that fit other companies and the steps that the system calls for will fit companies large and small. ISO 27001 works so well that it’s becoming a standard around the world. In 2006, just over 5,000 companies used ISO 27001 but in 2014 nearly 25,000 did.
The answer to the IoT problem isn’t to make ISO 27001 a federally enforced standard for all manufacturers. But a similar standard designed to force manufacturers to make devices that are convenient and safe to bring into your home could be. The people designing most IoT devices are not concerned with how strong the login credentials are or creating updates and patches for their devices. They’re concerned with making their bosses happy and getting a product out the door. But if you inform yourself on the cybersecurity threats just outside your door then one day they may be. Educate yourself on security standards like ISO 27001 and push for legislation that reflects what you learn in the process.
You won’t just be protecting your business, but your family too.