Internet of Things device security has become more critical than ever, as the risks now outweigh the opportunities when it comes to potential threats to an individual or even an entire government.
Gone are the days of security-through-obscurity for connected consumer products. Designers can no longer ignore the risk that a potential security compromise poses to their brands.
As a result of growing concerns, U.S. lawmakers recently introduced the Internet of Things Cybersecurity Improvement Act of 2017, which seeks to impose minimum security requirements on devices purchased by the government. While the proposed legislation focuses on public sector IoT, it is a likely stepping stone to broader regulation of security in all IoT devices.
The lack of security in IoT devices was generally not due to lack of leadership or engineering capabilities; rather, it was a market failure. Devices were insecure because it didn’t make economic sense to implement an appropriate level of security.
But brand-conscious leaders of companies that manufacture connected devices are starting to consider what’s called the annualized loss expectancy associated with security risks. Product stakeholders are quickly becoming aware that improper security is no longer a negligible risk to their brands.
With some straightforward strategy in hand, device makers can reduce this risk and meet customer expectations without undue impact on their business models.
Digital security and privacy live on a spectrum, from complete openness to extremely powerful cryptographic protection. Heightened security will always come with downsides, including negative impacts on:
- User experience: Authentication and provisioning cryptographic systems always introduces extra and often cumbersome steps for users.
- Product cost: Complex cryptographic operations or the need for secure storage can increase significantly the cost of silicon.