With the IoT set to expose an unprecedented amount of our, until now, private data, the pressure is on the industry to make sure security is taken seriously. CBR collected some thoughts on how this will be achieved from experts at Tech UK’s ‘Securing the IoT’ workshop.
1. Duncan Brown, Research Director of European Security at IDC, on IoT privacy:
"We have no idea about the social impact of collecting the data that we are talking about collecting: all of the health data, all of the sensitive data, all of the tracking data…the industry is focused on the technical security part of it but I think as an industry we do need to engage with the privacy side of the market as much as the technical aspect.
"I think we would do ourselves a disservice if we only focused on the technical aspects, as privacy is so important. It will be a key inhibitor in terms of adoption if the general population is not happy. There will [also] be geopolitical differences in terms of what people will stand in terms of their privacy."
2. Stephen Pattison, VP Public Affairs at ARM, on the role of government regulation:
Content from our partners
"I don’t think anybody really wants the government involved [in regulation]…but I do wonder if there are other approaches, for example, mandatory breach notifications [requiring a company that has been breached to report this to consumers]. One place where they are mandatory is California where what it’s done is actually stimulate tremendous initiatives in improving cybersecurity.
"You as a company want to go the extra mile to avoid having to issue a notification. That kind of approach can sometimes stimulate the kind of ecosystem that is built around security by design but actually nudged by something that’s happened outside the ecosystem. I think there could be a role for government in nudging."
3. David Rogers, advisor to BIS, on investing in security for the long-term:
"We have the collective responsibility to ensure that the IoT security ecosystem in itself exists and that you give people a reason to purchase security. You [as suppliers] need to rail against this natural tendency to go for the lowest common denominator. We have a responsibility to be asking those questions and asking [the client] why they are not asking for security.
"If you’re on the other side of the house, you must ask the right questions to the suppliers in terms of why they’re not supplying secure products, because it will come back to bite you. The message to the CEO that, for whatever reason, decides that he needs to be connected is that if you make a cheap decision now it will be very costly in the future."
4. Sian John, Director of Security Strategy at Symantec on IoT security standards:
"In terms of standards, resilience is absolutely key when you getting into these sorts of things; it’s as important to keep the transport system going as it is to maintain its privacy. One of the issues with the IoT is it’s probably making availability as important as confidentiality and integrity. If you think about security, you’d probably make confidentiality more important historically.
"The challenge with compliance [with these standards] is that tick-box culture that comes. You tick a box, become compliant, and don’t actually think about whether that is improving the security. I believe in regulation of standards but not when it comes to ticking the box to pass that standard rather than doing it right."
