The concept of something monitoring every conversation and action that takes place in the privacy of our own homes is unsettling – something straight out of a Black Mirror episode. That’s why it’s fascinating to see voice-activated, Internet-connected devices starting to infiltrate our everyday lives. While these devices offer convenience, allowing us turn on the lights, change the music and talk to our friends from the comfort of the couch, our increasingly connected world opens us up to security and privacy risks.
The fact is that IoT is here to stay, but the ubiquity of these devices is creating a much larger attack surface and easy entry points for hackers to gain access to users’ networks. So what’s the solution? It starts with implementing real-time, continuous visibility and establishing a policy framework that encourages the development of a robust IoT ecosystem globally. Only with this enhanced infrastructure in place will we be able to protect the data that consumers are creating through the use of their Internet-connected devices.
Protecting this data is a necessity as more and more consumers are voluntarily offering up their rights to security or privacy in search for convenience. A 2016 Pew Research study indicated that over half of Americans find it acceptable to trade certain privacy rights in exchange for something of value, such as installing workplace surveillance cameras to keep items safe in the office or managing patient healthcare records online. Here’s how it’s happening:
On the Internet: A certain level of trust in the system has become innate, which has led to many people ceasing to worry about so-called “minor” items being leaked on the Internet. Many users feel no qualms about using their legal full name on Facebook, for instance, or posting their email address and phone number on LinkedIn or when signing up for a contest or giveaway. If it isn’t a social security or credit card number, the typical user doesn’t concern themselves with the amount of personal data that’s available online. For most, the added convenience of perpetual connection to others and access to unlimited information online is worth the trade-off of a less private online presence. Most phone numbers and addresses can be purchased on various public information clearinghouse websites, while stolen credit card information and social security numbers, such as the information that was recently stolen from Equifax, can be easily purchased on the dark web.
In the home: Over the past few years, data has gone beyond the computer screen and into our day-to-day lives. Smart speakers such as the Amazon Echo have turned the home into connected locations, where a shopping purchase or music playlist is never more than an “Alexa” away. These types of devices are extremely handy for busy individuals or families, but they also introduce an unprecedented level of data gathering.
On (or in) your person: Smartphones have practically turned humans into living tracking beacons, with devices in their pockets that constantly monitor their physical activity and location. Going even a step further, consider the Wisconsin company that recently made headlines for RFID chipping their employees. The chips are purported to offer various benefits for both the corporation and the employee, streamlining tasks such as making purchases at the company store and using the copy machine. However, the ethical and privacy implications of this technology have been discussed at length and further emphasized the need to protect users’ data, especially when that data is the user itself.
Amidst all of this data collection, there has been a cry from many about implementing a form of policy to regulate what organizations can or cannot do with the data they receive from their various products – whether it’s a smart TV or an employee-planted chip. The U.S. government recently introduced a new proposed policy to regulate IoT devices in use by the government, stating they must be “patchable” and conform to industry security standards.
Regardless of what form of regulation ultimately is put in place, the important piece to consider is ensuring that any and all policy is drafted in a way that helps progress, not impedes it. If the only policy put in place is stricter regulation around the level of security a device needs to have to enter the market, the negative impact won’t fall on the hackers, it will fall on the device manufacturers. This could then snowball into a burden on businesses that would constantly have to upkeep devices with software or full hardware rip-and-replace refreshes.
That’s why it’s so important to maintain security in the entire network, not at the device level – whether that device is a computer, a smartphone or a human being. As such, effective security management means having a unified approach that consolidates policy management, visibility and reporting across all physical, private and public networks. Network security must be intuitive enough for all stakeholders to manage easily, scalable enough to handle security deployments wherever data flows and autonomous enough to intelligently correlate events across the entire network. Only then can the convenience these connected devices offer be offset by the security that is necessary to keep users’ data safe.