This year’s RSA Conference, the premiere event for the cyber security industry, had an agenda dominated by IoT. IoT security is a hot topic, and for good reasons. IoT requires a massive amount of data traveling over numerous networks. This presents a tremendous opportunity for hackers.
Businesses and consumers used to just have to worry about securing their computers, laptops and smart phones. But, in an IoT world, there are thousands of devices, sensors, networks and software platforms that can also be hacked.
Why Addressing Security in IoT Is So Critical
According to computer science professor and TED speaker Avi Rubin, anything can be hacked, including police radios, smart phones, scanners, medical devices inside or outside of the body, battleships, planes, bombs, soda machines, voting machines and even the infrastructure of the United States. If it has an RFID tag, sensor or computer chip, it’s vulnerable. It’s not just that these systems can be hacked; there are countries intent on doing just that. In fact, the Infosec Institute predicts computer espionage will be the number one predicted threat to companies and countries in 2015, and that the number of cyber attacks against IoT devices will rise inexorably.
Not everyone is as pessimistic as Rubin. HP recently created the Open Web Application Security Project (OWASP) to address IoT security issues in a variety of hackable devices.
Their studies show that realistically, only 70 percent of IoT devices are hackable. According to the study, HP examined 10 common smart devices, including thermostats, smart TVs and webcams. Each device, HP claimed, had approximately 25 vulnerabilities.
Other than the obvious issues connected with strangers, foreign governments or even terrorists having your data or access to your customer bases, the annual cost of a data breach was $3.5 million in US dollars according to Ponemon’s 2014 Cost of Data Breach Study: Global Analysis. That’s up 15 percent from 2013.
There’s the initial cost of the breach, then there’s the cost that comes from customers leaving after the breach. Research shows that the loss of customer loyalty and company reputation is the biggest hit companies take after a breach. Industries like pharmaceutical companies, financial services and healthcare, experience the highest customer turnovers.
HP strongly recommends that companies have preventive measures in place before a breach occurs. HP also reports that, “having an incident response and crisis management plan in place, an efficient and effective response to the breach and fast containment of the damage has been shown to reduce the cost of breach significantly.”
In February 2014 Senator Edward J. Markey (D-Mass.) presented a report called Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk, and challenged auto manufacturers to make vehicles more secure against hacking, while urging Congress to enact legislation to protect consumers.
Automobiles may benefit from industry specific legislation, but when it comes to IoT in general, the Federal Trade Commission (FTC) offers tips and advice to businesses, but says it’s not quite time for blanket legislation yet.
Risks of Not Addressing Security In Your Messaging
By not being upfront and addressing customer concerns about your solution’s security posture, your company faces a variety of risks — including loss of your customer base if (and when) a breach does occur. Any company doing work or providing services or products in an IoT space, needs to be prepared and security needs to be your top priority. A guarantee of data security is often the only thing standing between you and the loss of your customers or even your company.
Mitigate Risks, But Don’t Overwhelm Your Client/Customer
Parents use age-appropriate language with their children so they don’t overwhelm them with too much information. You can do the same, using client or customer appropriate terms and messages so they aren’t overwhelmed either. How do you do that?
Make security a constant part of message, but not the whole message.
Don’t over-do the security message, but don’t ignore it either.
Touch on security, don’t dwell on it.
Use user friendly terms like, “This app does xyz in a secure way.”
Make sure you’re HIPAA compliant when working with healthcare companies, for example, any exchange of PHI (protected health information) must be fully encrypted.
Make sure your customers know their information is going to be secure.
Have an answer for all the questions your client or customer might have before anything or everything bad happens.
Reverse-engineer your response — figure out what your security story is before a problem exists, even at another company. Once any company or industry is hacked then your customers will come to you and ask, “Are we safe?” Have an answer and a plan to assure them they are.
Having the right content already on your website will do wonders in keeping clients informed, educated, aware and confident in your ability to protect them.