Guest Blog: Security by Design: Improving the cyber security of consumer IoT

This guest blog was authored by Gordon Morrison who is Director for EMEA Government Affairs, Splunk. However, this blog and the views expressed are in his position as Vice Chair of the techUK Cyber Group.

The Department of Culture Media and Sport (DCMS) today released an interim report on how we can take action to protect consumers of Internet of Things devices from cyber threat. techUK thinks this is a good thing. UK Government is one of the first to look at this problem and is right to take this seriously and should be commended for showing leadership here.

Simply put, by designing security into consumer devices from inception, the consumer can be better protected, and the huge social economic potential of consumer IoT technology can be realised. As stated in the report, there will be 20Bn internet connected devices worldwide by 2020 and the number of internet connected devices per household will increase from approximately 10 now to 15 in 2020.

However, equally significant is that the economic opportunity from IoT is huge. But, the threat and risk to consumers using these devices is only likely to increase given the increased attack surface. Criminals also realise that vulnerabilities in these devices could be exploited in large scale attacks, across multiple geographies, to cause significant disruption.

techUK itself was involved in generating the code of practice. It has a number of sensible guiding principles or objectives these being: reducing the burden on consumers, providing greater transparency on the security mechanisms that have been put in place, being better able to measure the effectiveness of these mechanisms, improving dialogue between all parties and increasing the resilience of critical functions and services.

The code of practice itself is designed for multiple stakeholders; these being device manufacturers, IoT service providers, mobile application providers and retailers. It provides 13 areas listed in priority order for stakeholders to focus on, ranging from removing default passwords, keeping software updated, minimising attack surfaces, protecting personal data, making it easy for consumers to delete personal data and monitoring system telemetry data.

The challenge for industry is in making this a reality and turning these recommendations into a strong reason for consumer choice. If you can produce a ‘secure by design device’, then consumers may select your product because of this. However, the economic challenges are significant and as we have seen in a globalised world the market does not always chose a more secure device over a cheap one.

In the report the Government accepts that for this to be truly effective then this cannot be taken in isolation and that this is a global challenge. From an industry point of view this is critical - we ask HMG, the EU and other international bodies to ensure we all work to a common practical framework that does not introduce unnecessary cost or stifle innovation. However, techUK members are committed to the aims of this report and agree that the secure by design principles have the potential of helping consumers fully embrace and benefit from the exciting promise of these devices.

techUK is committed to help UK Government gain wider adoption of the principles and code of practice. As recognised in the report closer dialogue between stakeholders is required and it’s important the tech industry remain engaged and have some influence on its development and adoption.

This blog is part of a series of guest blogs on consumer facing IoT. Read techUK's response to Government's Secure by Default announcement here.

For more information on techUK's work on securing the IoT please contact:

Share this


.@richpotter_ @Microsoft we know that this tech to work, we need a much broader church involved and at the moment t…
Helen Mayhew @quantumblack is optimistic but we need to be discussing actions next year not just engaging in philos…