By Gabriel Aguiar Noury, Robotics Product Manager, Canonical

The Internet of Things (IoT) market is at a defining stage in its growth. The influence can be felt across a broad range of industries, from automotive and hospitals to governments and manufacturers.  All have recognised the benefits connected devices can bring, from more efficient operations to greater productivity, and have adopted them into their workplace settings. As a result of these developments, it should come as no surprise to learn that the global IoT market is expected to reach a value of $1,386bn by 2026, up from $761bn in 2020.

During this widespread adoption of IoT devices, there is one key area that gets overlooked, and that’s security. Often this can be for a number of different reasons, but most commonly it’s due to a lack of awareness of security measures and the complexity of the technology making it challenging to implement hardening and security policies. As a result, device security has been low on the agenda for some time. Now is the time for everyone – businesses and end-users – to take security seriously. Through data security policies such as GDPR, consumers have come to demand the highest protection when sharing their personal details online, and the same principle should guide the security protocols of IoT devices too. Threats will continue to become more sophisticated as the technology grows and hackers become adept at exploiting the weaknesses of the technology.

Overlooking security 

Often, when a business connects a device to the internet, they do so with very little protection. For example, when they download apps to their business or personal phones to control the devices, they do so without reading the terms and conditions. As a result, businesses don’t invest the time to fully understand where their passwords and other sensitive data they have been sharing across the IoT network is being stored, or are using devices without checking if they are getting security updates. All of these factors lead to a network ready to be compromised by hackers. This is a key aspect businesses need to understand about IoT devices; once a hacker has access to one, they can breach other connected devices and exploit the network as they wish.

All businesses need to learn how to best protect their connected devices, and it goes far beyond a simple password. When first adding a device to a network, it’s crucial for businesses to go through the settings and customise the settings to their exact needs. We often use the default settings for simplicity, but the approach might not fully protect the business’ data. For example, CIS Critical Security Controls – a prioritised path that helps improve a cybersecurity programme – gives users additional guidance on protecting their network.  IoT manufacturers should follow the same principles as well, to ensure end-to-end security across every part of the business chain.

An additional step a business can take is multi-factor authentication – which not all manufacturers do, but this must change to prioritise security. This can act as a backup if a password fails and can be as simple as receiving a text, or more advanced measures like biometrics. However a business decides to protect their devices, it should be done as soon as the device is implemented into the network, as attempting to go back and retrofit security afterwards will always leave loopholes for hackers to exploit.

Looking back through history, it often takes a widespread breach for people to take security seriously. As an example, The Morris worm was the first computer worm that gained significant mainstream media attention after it infested millions of computers and paralysed the internet for several days. The scandal led to the US viewing cybersecurity risks with the care and attention they deserved. Now, just like in 1988, we’re witnessing so many businesses overlooking security risks, and it is up to the IoT companies to take control of the situation.

Welcome regulations 

In 2022, we are set to see IoT security become a major focus for businesses and governments. The UK is one of the first countries that started working on such regulations, conscious of the interconnected risk that IoT devices can bring. Just recently the government announced The Product Security and Telecommunications Infrastructure Bill, which is a step in the right direction to mandating better cybersecurity practises for connected products. Looking ahead, to ensure the bill is as effective as possible in reducing the risk for businesses, there are a few points that must be considered.

The first is enforcement as the bill will only work if people abide by what is set out in it. Provided that the enforcement measures are up for the task, the bill will help to ensure that all products meet minimal cyber security products. With this, however, has to come the necessary punishments to ensure companies keep in line. Another key aspect to consider is international parity. Like the UK, countries are developing their own laws to confirm the new legislation, and it is vital to ensure there is some level of standardisation. As the production of IoT continues to increase globally, it’s also important to ensure international collaboration; as international manufacturers keep up to speed with regulatory changes, then organisations can work together to combat coordinated security threats.  Finally, we cannot forget about the manufacturers. To avoid blocking startups and innovators as a whole, the UK will also have to deploy tools for companies to understand and be compliant with the new regulations. If all of these elements are addressed alongside the bill’s approval, then the UK will be in a strong position when it comes to IoT security.

The steps taken by the UK to introduce this bill are welcome. 2022 has to be the year that the industry starts taking security seriously, or they risk another Morris worm that will simply force the industry to change. While it’s down to the IoT manufacturers and regulators to put measures in place to ensure the security of IoT devices, consumers also have a responsibility for their own security measures. Combined, 2022 can be the year where IoT shakes off its reputation for weak security practises and the connected devices in a business’ network become impenetrable.