Guest Blog: Security by Design: Improving the cyber security of consumer IoT

This guest blog was authored by Gordon Morrison who is Director for EMEA Government Affairs, Splunk. However, this blog and the views expressed are in his position as Vice Chair of the techUK Cyber Group.

The Department of Culture Media and Sport (DCMS) today released an interim report on how we can take action to protect consumers of Internet of Things devices from cyber threat. techUK thinks this is a good thing. UK Government is one of the first to look at this problem and is right to take this seriously and should be commended for showing leadership here.

Simply put, by designing security into consumer devices from inception, the consumer can be better protected, and the huge social economic potential of consumer IoT technology can be realised. As stated in the report, there will be 20Bn internet connected devices worldwide by 2020 and the number of internet connected devices per household will increase from approximately 10 now to 15 in 2020.

However, equally significant is that the economic opportunity from IoT is huge. But, the threat and risk to consumers using these devices is only likely to increase given the increased attack surface. Criminals also realise that vulnerabilities in these devices could be exploited in large scale attacks, across multiple geographies, to cause significant disruption.

techUK itself was involved in generating the code of practice. It has a number of sensible guiding principles or objectives these being: reducing the burden on consumers, providing greater transparency on the security mechanisms that have been put in place, being better able to measure the effectiveness of these mechanisms, improving dialogue between all parties and increasing the resilience of critical functions and services.

The code of practice itself is designed for multiple stakeholders; these being device manufacturers, IoT service providers, mobile application providers and retailers. It provides 13 areas listed in priority order for stakeholders to focus on, ranging from removing default passwords, keeping software updated, minimising attack surfaces, protecting personal data, making it easy for consumers to delete personal data and monitoring system telemetry data.

The challenge for industry is in making this a reality and turning these recommendations into a strong reason for consumer choice. If you can produce a ‘secure by design device’, then consumers may select your product because of this. However, the economic challenges are significant and as we have seen in a globalised world the market does not always chose a more secure device over a cheap one.

In the report the Government accepts that for this to be truly effective then this cannot be taken in isolation and that this is a global challenge. From an industry point of view this is critical - we ask HMG, the EU and other international bodies to ensure we all work to a common practical framework that does not introduce unnecessary cost or stifle innovation. However, techUK members are committed to the aims of this report and agree that the secure by design principles have the potential of helping consumers fully embrace and benefit from the exciting promise of these devices.

techUK is committed to help UK Government gain wider adoption of the principles and code of practice. As recognised in the report closer dialogue between stakeholders is required and it’s important the tech industry remain engaged and have some influence on its development and adoption.

This blog is part of a series of guest blogs on consumer facing IoT. Read techUK's response to Government's Secure by Default announcement here.

For more information on techUK's work on securing the IoT please contact:

FROM SOCIAL MEDIA

We're at #Lab18 chatting about the role of autonomous vehicles in #DrivingtheFuture. Come take part in the debate!… https://t.co/bxde4QPS0O
Did you know that many businesses haven't gone #digital yet? Join us at our #Lab18 event where we tackle the issue… https://t.co/Kc7yt7Sdr2
techUK Deputy CEO @techUKdepCEO comments on PM Statement saying UK and EU "must commit to finding a solution that a… https://t.co/T5dbsR8yPF
Get ready for techUK’s Cloud Week! From Monday, we’ll be hosting a week of guest blogs, podcast interviews, press… https://t.co/SVC5P9QKtL
#supercharging18 in Manchester on 18 Oct, will explore the ways #digital increasingly underpins Britain’s #economy.… https://t.co/sArqcyiKD5
Hear from @techUKCEO at the FutureTech Festival in December this year #GREATforCollaboration https://t.co/OzJkA9IjjG
What makes a 'good' Digital Board? Read more about our new report from SmarterUK in @ComputerWeekly https://t.co/UHCTccsH57
Delighted to see @techUK Health and Social Care Council Member @AndreasHT is on the panel https://t.co/4nCJotkAvx