Those who know they are inventing the future often have minimal, if any, concern for understanding what has gone before. Therefore, what can be done, and what is being done, to improve IoT privacy and security can be worlds apart. With that in mind Dinesh Abeywickrama Bcs, MBCS discusses some legitimate security concerns and looks at where to start in addressing such issues.
While technological development offers a lot of opportunities, the growing threat of the internet of things (IoT) is hastily becoming a certainty, as novel attack approaches and innumerable devices emerge. This is where the technically surprising objects and inventors of the digital services are at a serious disadvantage.
Some of the most significant security concerns troubling CSOs at the moment are discussed below.
Altering credentials
It’s imperative to reset the usernames and passwords instead of keeping the defaults as the equipment will repeatedly compromise. The malware will be able to attack these devices by simply logging into them with their factory default credentials (Shen & Chiou, 2010).
Reconnecting power sources
Usually, malware used in virus attacks are stored in memory and can be erased with a power cycle.
Deactivating UPnP support
Universal and Plug and Play, which automatically open virtual ports that can ‘poke a hole’ in the router’s shield, can make devices discoverable on the internet and vulnerable to malware infections.
Backups in place
Keeping backups to restore information when the system needs to be rebooted. Hence, investing on backups would definitely save a lot of money when dealing with an accidental situation (Lee, 2009).
Endpoint protection software
With the development of the IoT chances of a security breach continue to rise. Therefore, the ultimate goal is to limit the damage in the event that it does happen.
Maintain device updates
Periodically check for firmware updates and device patches to ensure IoT devices are current and running the latest firmware updates from the manufacturer.
Two-step verification process
Adding another layer of protection for data will be essential when many devices are being connected via the same username and password.
MDM approach
Basically, companies can inject the data encryptions from the remote locations and change it whenever needed. Devices can also be profiled or removed from access. Also, it is possible to manage the apps that run on IoT devices (Lee, 2009).
However, when one especially deals with juvenile technologies and undersized markets, these security concerns will outcome trade-offs, as boosting security most of the time compromises the user experience; nevertheless, it’s important to maintain the contextual optimum equilibrium (Wijewardene and Khatibi, 2016).
So how do you implement security measures while maintaining a good user experience?
Keeping a favourable balance between user-experience and security is becoming an increasing focus as device interconnectivity and multi-device use continues to grow with the increasing human needs and wants.
IoT protector’s design
According to the book ‘The Design of Everyday Things’ a usability engineer, Donald Norman, talks about minimising the time and effort required to use a feature so that it doesn’t impact negatively on the user experience. Security features are, in a sense, a ‘barrier’ to something else so it is vital that you remove any additional, unnecessary steps so you don’t discourage the user. When it comes to security, users don’t want to feel confused or lost in the process; keep it simple (Norman, 1988).
There are various ways this can be achieved.
Visibility of the security function
The more visible the security functions are, the more likely users will be able to know the next step to do in order to secure their important equipment or the information.
Feedback at a breach
Feedback is about sending back information about what action has been done and what has been accomplished, allowing the person to continue with the security activity.
Constraints to ease security steps
The design concept of constraining refers to determining ways of restricting the kind of user interaction that can take place at a given moment, especially with a strange user.
Security mapping
This refers to the relationship between security controls and their pragmatic outcomes, be it a flashlight, car, power plant or a cockpit.
Affordance of security measures
Concerning a security breach, the human mind gets confused. Therefore, taking a measure with clarity is imperative to safeguard the system. For example, a caution message box button invites a user to push, but, in a way, it is physically constrained as it’s the only button to press (Norman, 1988).
Educate yourself
The higher the knowledge, higher the motivation. First and foremost, it is better to stay educated on the latest security practices. By knowing the latest security trends, you can be proactive and keep your company secure without compromising user satisfaction and experience. In most cases, when you are confused with sophisticated equipment and security measures, you gain less hedonic motivation (Wijewardene and Khatibi, 2016).
Orchestrated cyber and physical security
The user will gain extensive benefits and see the potential of IOT by marrying cybersecurity and physical security solutions simultaneously, while proceeding one’s day-to-day IT-related activities. Predominantly, there are two benefits for the user.
Firstly, correlating the information from multiple security systems provides a more detailed view of activities inside and outside the network.
Secondly, security systems can communicate directly as automated systems, without human intervention.
Basically, machine-to-machine (M2M) communications shave precious seconds off the response time. The security systems follow different policies for different types of events.
For instance, if the entry control system distinguishes the use of a badge reported as ‘stolen’, the automated actions might be to ‘lock the door’, block access to machines and computers in the area, alert security officers, and signal the video analytics software on a nearby camera to identify the individual using the stolen card.
The internet of things obscures safety by accumulating billions of potential attack vectors. At the same time, it could reinforce users’ security stance by congregating far more intelligence about intimidations and systematising responses based on policies.
A comprehensive approach to IOT is divided into many areas. Firstly, extend cybersecurity and physical security solutions together to both the IT and the IoT environments. Through this step, users can protect their networks, equipment, information and privacy from the inside and the outside.
Mutual solutions
It is very beneficial to program the solutions to work together. Therefore, users will get more information about their threats and speed up responses by taking advantage of M2M communications. Analysing IoT data in the ‘fog layer’ saves precious milliseconds that can make the difference between preventing a threat and trying to mitigate its damage.
Profound policies
To fast track and uphold the long-term viability of the IoT, the nation’s policy framework should encourage solutions based on parallel building blocks and an open architecture, via the entire paradigm of the stakeholder networks, which is scalable, interoperable, and reusable across deployments, vendors and sectors.
Similarly, public policy context should also consider gears to rush IoT adoption and enable cost effective introduction of new technologies and their security systems including open standards efforts, targeting centralised or government funding, and impactful public-private partnerships.
Likewise, with a comprehensive approach to security, individuals like us, private organisations and state cooperation are free to capitalise on the IoT to improve user experiences, business outcomes, government objectives and overall safety in extraordinary ways.
Dinesh Abeywickrama
(Sri Lankan IT strategist, researcher and author, Member of British Computer Society and Executive Officer at the Capital Maharaja Organization.)
References
- Lee, M. C. (2009). Factors influencing the adoption of internet banking: an integration of TAM and TPB with perceived risk and perceived benefit. Norman, D. (1988). The Psychology of Everyday Things.
- Shen, C. C., and Chiou, J. S. (2010). The impact of perceived ease of use on internet service adoption: the moderating effects of temporal distance and perceived risk, Computers in Human Behavior.
- Wijewardene, U. P., Khatibi, A. (2016). Critical factors influencing students’ acceptance of online learning over traditional method: an empirical study in Sri Lankan higher education.
Download ITNow – University of Oxford Press
Before it’s too late – British Computer Society