Time to get real about consumer IoT security: rotten apples and the human factor

Of course, industry bodies, local government awareness programs as I mentioned in the beginning and all kinds of associations are working towards enhanced security as well. This certainly also happens in the IoT industry where security initiatives pop up faster than ever.

Just one example of such initiatives, here in the consumer space: the introduction of a new, S2 framework by the Z-Wave Alliance (Z-Wave is a smart home standard) which is mandatory for all vendors who want Z-Wave certification after April 2nd, 2017.

However, let’s face it: not every vendor, certainly if not using standards where security is key to be certified, is as concerned about security as about profit, to say the least. That’s a challenge for the industry. You know the saying about the barrel of apples and the few rotten ones. In the end, and we’ve seen this so often in various areas, regulators step in. No matter how you feel about regulation and regardless of industry initiatives: it’s a public secret that some of those (often cheaper) devices are made by companies that don’t keep into account the most basic basics of security. Yet, there is no way for the average consumer to know and no way of shipping these devices right back to the countries where they come from.

But, again, with the Internet of Things the stakes are higher, much higher. That brings us to the question: do we need to educate consumers on what to do and what not to do from a security perspective when acquiring specific connected devices and solutions soon?

Are they going to read tests, involving products, as “security in the cloud leader” Zscaler recently did? No. The fact is that there is no guidebook and efforts to educate consumers are of course scattered across companies, associations, governments, you name it. There is no ‘one place to go to’. Maybe it’s not needed or possible, maybe we need regulation instead but we do need something and, preferably, several concerted efforts.

Education on security is crucial in organizations where security is not an afterthought but looked upon from a holistic and end-to-end perspective as it should be in this digital business age.

What’s the first and most essential part of such a holistic security approach? Indeed: educate your people as they are a major cause of security breaches. You can invest in a state-of-the-art security solution with predictive analytics and an embedded security strategy approach but if the human factor is overlooked, then nothing else goes.