In plain sight – how smart homes risk enterprise IoT, and why nothing is being done
With the rise of connected devices in homes and offices spiralling upwards, Paul Hague, chief executive at UK cybersecurity firm BlackDice, says enterprises are letting vulnerable home devices onto their networks and walking blindly into a cybersecurity nightmare.
The internet of things (IoT) hasn’t changed much in the last five years, and it’s unclear just where the benefits are for people in the consumer IoT market. Smart locks? What about when the Wi-Fi goes down? Smart bulbs? How do they enhance a home experience?
Does adding ‘smart’ to the front of a product even deliver anything meaningful? The smart home market is full of neat technology with obscure benefits. In the home, IoT is a technology still looking for a problem.
For industry, however, IoT has become revolutionary. The benefits are clear, from automation to connected sensors. Industry has looked at the business benefits of IoT, and – particularly with the Industry 4.0 movement – has been able to track and monitor them tangibly.
Of course, an increased volume of connected sensors and devices brings larger amounts of data, and more opportunities to hack. If you increase your devices by 300 per cent, say, you increase your potential attack surface by 300 per cent as well. And it just takes one badly protected device to allow a hacker to access the entire network.
For industry, this is a critical consideration. But boundaries are blurred. It takes a single device, taken from a home into a business (or indeed, vice versa) to introduce a vulnerability, and all of a sudden, the whole enterprise is at risk.
Connected homes are not about bricks and mortar. Phones, laptops, speakers, trackers, and other devices are moving in and out of them, connecting to unknown and untraceable networks. Our modern lives are intertwined, and if a vulnerable device moves from the home to the office, its vulnerability spread with it.
Cybersecurity should be treated as a PAT test, as part of electricity checks. It should not go unchecked when an employee brings an electronic hardware into an office. Any professional business should PAT test that hardware – to ensure there are no electrical faults being introduced into the space.
So why do we not have a cybersecurity PAT test equivalent? While some businesses remove this issue totally by only allowing managed devices provided by the company, there are millions of unsecured devices bringing vulnerabilities into the enterprise space – and the lifeblood of the economy.
It’s happening in plain sight. Consumer electronics which are ‘smart’ and can connect to a network are often not adequately protected, with unsecure components just waiting for a data leak – in the background, without anyone knowing about it.
Why don’t people know about it? If the general public knew what was going on, it would threaten the whole telecoms industry and their internet provision. For years, everyone has turned their backs – as if it is someone else’s problem. Few individuals or businesses are doing anything about it.
The IT security focus in the home for the last 20 years has been about anti-virus software, which many equate with cybersecurity. If only it was that simple. Even something as vital as an internet router is blindly accepted into people’s homes, and their vulnerabilities are not widely known.
It’s happening right now. Just this month, an app purporting to be a Samsung updates system was downloaded by over ten million people worldwide. The problem has been the app has nothing to do with Samsung. People have been duped by their desire to keep their devices current, and their lack of experience in recognising cybersecurity threats.
Big companies can have blank check books for cybersecurity, but what about families? We cannot continue to just ignore what’s going on. It’s hiding in plain sight, and there will come a time, after a massive cyberattack, when we ask why we didn’t know. We did. We just didn’t do anything about it.
Invent the ship, and create the shipwreck. There are benefits to IoT, but without cutting edge cybersecurity, there are trade-offs too.