It was bound to happen. With the amount of cyber-crime that is taking place on a daily basis, it was only a matter of time before governments got serious about implementing laws that would improve security around devices that have high connectivity.
While IoT devices undoubtedly make our lives easier, they leave us vulnerable to cyber-crime because the security protocols on these devices are not up to standard. This provides cyber criminals with a gateway into your network where their fun can begin. Not so much fun for you though.
I recently read an article on computorweekly.com which pointed out that the UK is getting serious about IoT security.
It’s about the masses.
The article points out that rigorous new legislation is set to protect the security and privacy of millions of users of internet of things (IoT) devices across the UK under plans drawn up by the Department for Digital, Culture, Media and Sport (DCMS).
Announced today by digital minister Matt Warman, the law will force manufacturers of smart connected devices to adhere to a set of stringent cyber security requirements.
“We want to make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology,” said Warman.
“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety.
“It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.”
Key rules
The article points out that, as proposed in the original DCMS consultation that was held in the spring of 2019, the legislation will contain three key rules:
- that all consumer IoT device passwords must be unique, and not resettable to any factory setting;
- that IoT device manufacturers must have a public point of contact for anybody to report a vulnerability, and that reports are quickly acted upon; and
- that manufacturers must explicitly state a minimum length of time for which devices will receive security patches when sold.
The article adds that the measures were developed with input from industry and the UK’s National Cyber Security Centre (NCSC), and DCMS said they would set new standards for best practice requirements for those that make and sell smart, connected devices to consumers.
The legislation builds on a voluntary Secure by Design code of practice for consumer IoT goods, which the government introduced back in 2018. The first of its kind in the world, the code sets the standard for stronger security measures to be designed into IoT products, and is backed by, among others, Centrica Hiva, HP Inc Geo and Panasonic.
Further development.
The article points out that a globally applicable standard based on the UK’s has since been published by European standards body ETSI.
DCMS said the government hoped to further develop legislation that protects consumers more effectively, is easily implemented by end-users, and still supports the long-term growth of the IoT.
Nicola Hudson, Policy and Communications Director at the NCSC, told computorweekly.com that the legislation should be hugely welcomed. “It will give shoppers increased peace of mind that the technology they are bringing into their homes is safe, and that issues such as pre-set passwords and sudden discontinuation of security updates are a thing of the past,” she said.
Supportive measures.
Matthew Evans, Director of Markets at TechUK told computorweekly.com, “consumer IoT devices can deliver real benefits to individuals and society, but TechUK’s research shows that concerns over poor security practices act as a significant barrier to their take-up.
“TechUK is therefore supportive of the government’s commitment to legislate for cyber security to be built into consumer IoT products from the design stage. TechUK has been working on these three principles for the past four years.
John Moor, Managing Director of the IoT Security Foundation told computorweekly.com, “over the past five years, there has been a great deal of concern expressed toward vulnerable consumers and inadequate cyber security protection.
“Understanding the complex nature of IoT security and determining the minimum requirements has been a challenge, yet after a thorough and robust consultation, those baseline requirements have now been universally agreed.
“The IoT Security Foundation welcomes the results of the consultation as it not only provides clarity for industry, but is great news for consumers and bad news for hackers.”
Smaller companies need to get serious
There is a belief that only large companies are targets to cyber criminals. This is a fallacy. Smaller and medium sized companies are just as vulnerable. This was pointed out in an article that I recently read on the subject.
The article points out that whenever we hear about major cyber security attacks such as data breaches, it’s typically larger enterprises that are the victims. That makes sense, considering those events can potentially impact a lot of people and therefore are more likely to grab headlines and garner attention.
But that doesn’t mean small and mid-sized companies (SMBs) are immune to such attacks. In fact, smaller organizations are frequent targets of cyber incidents, and they generally have far fewer resources with which to defend themselves.
Recent studies.
The article adds that a recent study by the Ponemon Institute, which conducts research on a variety of security-related topics, presents a clear picture of the cyber security challenges SMBs are facing. The report, “The 2019 Global State of Cybersecurity in SMBs,” states that for the third consecutive year small and medium-sized companies reported a significant increase in targeted cyber security breaches.
For its report, Ponemon conducted an online survey of 2,391 IT and IT security practitioners worldwide in August and September 2019, and found that attacks against U.S., U.K., and European businesses are growing in both frequency and sophistication.
The article adds that nearly half of the respondents (45%) described their organization’s IT posture as ineffective, with 39% reporting that they have no incident response plan in place.
Cyber criminals are continuing to evolve their attacks with more sophisticated tactics, and companies of all sizes are in their crosshairs, noted Larry Ponemon, chairman and founder of the Ponemon Institute. The report shows that cyber-attacks are a global phenomenon, as is the lack of awareness and preparedness by businesses globally, he said.
Overall, cyber-attacks are increasing dramatically, the report said. About three quarters of the U.S. companies surveyed (76%) were attacked within the previous 12 months, up from 55% in a 2016 survey. Globally, 66% of respondents reported attacks in the same timeframe.
Popular motives
The article points out that attacks that rely on user deception are on the rise, the study said. Overall, attacks are becoming more sophisticated, with phishing (57%), compromised or stolen devices (33%), and credential theft (30%) among the most common attacks waged against SMBs globally.
Data loss is among the most common impact of cyber security events. Worldwide, 63% of businesses reported an incident involving the loss of sensitive information about customers and employees in the previous year.
The article adds that SMBs around the world increasingly are adopting emerging technologies such as mobile devices and apps, the Internet of Things (IoT), and biometrics, despite having a lack of confidence in their ability to protect their sensitive information.
Nearly half of the survey respondents (48%) access more than 50% of their business-critical applications from mobile devices, yet virtually the same portion of respondents said the use of mobile devices to access critical applications diminishes their organization’s security posture.
Furthermore, a large majority of respondents (80%) think it is likely that a security incident related to unsecured IoT devices could be catastrophic. Still, only 21% monitor the risk of IoT devices in the workplace.
Biometrics mainstream.
The report also suggests that biometrics might finally be moving toward the mainstream. Three quarters of SMBs currently use biometrics to identify and authenticate users or have plans to do so soon.
Small and mid-sized companies can take several steps to bolster their cyber security programs. One is to educate users and managers throughout the organization about the importance of strong security and taking measures to keep data safe.
The article added that because so many attacks begin with employees opening suspicious email attachments or clicking on links that lead to malware infestations or phishing, training users to identify these threats is vital. Companies can leverage a number of free training resources online to help spread the word about good security hygiene.
Smaller companies, particularly those will limited internal cyber security skills, can also consider hiring a managed security services provider (MSSP) to help build up a security program. Many of these firms are knowledgeable about in the latest threats, vulnerabilities, and tools, and can help SMBs quickly get up to speed from security standpoint.
And companies can deploy products and services that are specifically aimed at securing small businesses. Such tools provide protection for common IT environments such as Windows, macOS, Android, and iOS devices. They are designed to protects businesses against ransomware and other new and existing cyber threats and prevent data breaches that can put personal and financial data at risk.
The article points out that some of these offerings can be installed in a matter of minutes with no cyber security or IT skills required, which is ideal for smaller companies with limited resources and a need to deploy stronger defenses quickly.
Microsoft is joining the game.
One of the major turning points in the industry will be if companies such as Microsoft or Apple can lend their considerable warchest or capital, and industry experience, to smaller companies who are in need of assistance when it comes to combatting cyber-crime.
Microsoft has recently opened a cyber security center in Belfast, Northern Ireland, to assist smaller companies in the fight against cyber-crime.
The article points out that the center will create up to 85 jobs in Belfast and will support enterprise customers across Europe, Middle East and Africa and provide consulting and proactive technical support professional services to customers.
Ahead of the opening, Microsoft will work the Department of the Economy to develop Assured Skills Academies at Belfast Met to allow people to upskill and apply for positions.
“An added advantage to this project is the focus on upskilling people to give them the opportunity to work in this dynamic area of the technology industry and over time we hope to be able to grow the team that works with us here in Northern Ireland,” Microsoft’s Darren Dillon told irishtimes.com.
Support from government.
The article points out that the Department for the Economy is providing more than £800,000 in funding for the Assured Skills Academy training places. The academies will be open to candidates with a 2:2 degree or above, or a Level 5 qualification in an IT related subject.
The announcement was made by the North’s Economy Minister Diane Dodds.
“Not only is it a direct result of the skills and talent available here, but it is also an indicator of the strength and vibrancy of the local IT sector, particularly in the field of cyber security,” said Dodds. “Assured Skills Academies have a track record of ensuring local employers have access to the skilled people they need in order to grow, while also upskilling local people and developing the capability of further education colleges.”
Microsoft’s investment is being supported by Invest NI, with £150,000 of funding. “This investment represents a significant boost for the Northern Ireland economy and will provide a range of opportunities for people to train for exciting new hi-tech roles,” Kevin Holland, Chief Executive of Invest Northern Ireland told the irishtimes.com.
Useful tips
A lot of people talk about cyber security and how it is a priority for companies. But do companies know what they need to actually do to improve their security?
I recently read an article that provided five insightful tips on how to make this improvement:
- Analyze Your Cloud. Your “cloud” is where your company’s virtual information is stored. Traditionally, clouds could either be private or public. A private cloud holds internal information that isn’t accessible by outside sources. A public cloud is one that holds information people outside the company can access. Analyze whether your company’s cloud choice is appropriate. In the modern world, most companies are choosing either hybrid clouds or multi-clouds. Recent reports state hybrid clouds meet the broadest spectrum of business requirements. They allow products or services to get to market faster and offer superior end-user applications. They also offer better scalability and greater flexibility. A multi-cloud has the same essential benefits. The difference between a hybrid cloud and a multi-cloud has to do with the way data is stored. A hybrid cloud will host private and public information in the same place. Some hosted information will be set to public while others are set to private. A multi-cloud does the same thing. Except it stores private and public data on separate clouds. This information is not shared between clouds;
- Make the Switch to Hyper-converged Infrastructure. Hyper-converged infrastructure is commonly known as HPI. This is a turnkey alternative to traditional three-tier infrastructures. Many companies find HPI easier to work with.HPI combines an x86-based server and storage resources with intelligent software programs. This lets businesses start small and scale up as they need to. This is typically preferred over needing to guess business growth at the beginning;
- Increase Your WiFi Capabilities. In the past, wireless LANs were for meeting rooms or other small areas. That isn’t the case today. Your wireless LAN has the potential to cover your entire campus or organizational compound. Having increased WiFi capabilities provides several benefits. It increases employee productivity across the broad and enhances the ability to collaborate. It has also been shown to improve employee responsiveness to customers;
- Consider Working with an ADCaaS Company. ADCaas stands for “application delivery control as a service.” This is an on-demand application tool that is cloud-hosted. Since it’s hosted through the cloud, an ADCaaS doesn’t need companies to own any on-site equipment. When working with an ADCaaS company, the costs are lower upfront. It’s also easier to manage than traditional ADC systems; and
- Get Better Security. Seventy-seven percent of organizations recently reported being victims of at least one cyber attack. Cyber attacks result in data breaches or system crashes. Both are harmful to a company and its reputation. The best option is to get better security for your IT infrastructure. The best security methods are embedded in your infrastructure. The less-effective alternative is to have security added later as an extra layer. When security is built into your infrastructure, it’s better equipped to handle cyber threats. It will also be able to correct itself with little intervention from staff. Best of all, built-in options weave security standards throughout the entire development life cycle.