Kurt Wescoe’s Advice for Manufacturers
For organizations manufacturing IoT devices, it’s important that they strike a balance between ease of use and security. Manufacturers are being pushed to deliver more capabilities with longer battery life and a smaller footprint. The challenge is it takes processing power and resources to implement some of the protective measures.
I think these device manufactures can look to the past for help. While not to the same extent, endpoints, tablets, and phones all had similar resource challenges as they have evolved, and those manufacturers had to make decisions on what types of security solutions they enabled. For example, IoT manufacturers can look to how other device manufacturers have combatted the DDoS threat on endpoints in the past and figure out how they can apply similar measures within their devices.
Another challenge for manufacturers is that which makes us more secure often makes products harder to use. But forcing people to follow best practices is a great step that we need to see become ubiquitous. I’ve been impressed with devices that don’t come with default passwords and that require a USB connection to set up. If the device just works out of the box, people aren’t going to spend the time to set up security. But if users are required to go through a setup wizard and change the password we’re on the right path. Empowering the users to make better security decisions ultimately puts us all in a better place.
I do wish the device manufacturers were working on a way to integrate two-factor authentication into IoT devices. We’ve seen a lot of progress in the last few years with integrations with cell phones, and we’ve seen consumer services like Twitter and Gmail making it available to end users. This would be a good step forward for IoT devices that have more far-reaching consequences in the event of a compromise.
Trevor Hawthorn on the ‘Human Factor’
In taking a step back, the biggest IoT risks lie in four main areas: a brand’s ability to develop secure devices from the get-go, an enterprise’s focus on educating employees on the risks these products pose to their company, the ability of the user to securely deploy IoT devices, and the consumer’s level of knowledge on how to keep their personal information secure from malicious actors while using these devices.
As long as people are developing and using products, there will always be the “human” factor. People make mistakes, and are limited to the knowledge and experiences they’ve had when making judgement calls. When faced with a potentially compromising situation, the ideal outcome is that an employee has been trained well enough to deploy and use an IoT system while avoiding or minimizing the risk. There is no such thing as “zero risk,” so while we can apply technical fixes to technology, end users are also “patchable”— but each requires ongoing maintenance as part of an organization’s security awareness training efforts.