Devices and applications play an increasingly important part in our everyday lives. As these technologies become smarter, so they grow in potential. The evolution of the smart city sees such devices employed to manage and maintain basic services, while smart homes and businesses are adopting the ubiquity of connected solutions to enhance productivity, reduce friction and transform how systems interact with one another.
The connected future, postulated by conversations around the Internet of Things (IoT) over the past 10 years, has arrived. Yet few realise that these technologies are still in their relative infancy. The devices, the connectivity touchpoints, the vulnerabilities – these present relatively new challenges that have to be overcome to ensure data, citizen and corporate security. For the IoT to succeed, it must be developed with a clear eye on both the physical and virtual environments, using best practice and reliable, certified partners to ensure a resilient security posture.
State of play
The cybercrime landscape continues to present a significant threat, particularly with regards to the IoT. According to Gartner, more than 13 billion connected devices are expected to be in use by the end of 2020, and McKinsey estimates that by 2025 IoT systems could contribute around £155-270 billion to the global economy thanks to more efficient energy and labour management.
Yet, amidst these statistics lies the concern, as highlighted by the UK government’s Cyber Security Of Consumer Devices report, that insecure devices can compromise privacy, they can be hijacked and they can be used to disrupt services and lives. The UK National Cyber Security Strategy was established specifically to focus on security across both the physical and cyber realms, and regulations are being continuously updated to ensure that security remains at the forefront of the technology conversation.
The introduction of regulations such as the General Data Protection Regulation (GDPR) and the NIS Directive (directive on the security of network and information systems) have been put in place to ensure that organisations are paying attention. With GDPR, an organisation is held liable for any breach, especially if this is found to have been achieved through poorly managed security systems and applications. One of the biggest threats to security is a lack of understanding around the vulnerabilities that exist in physical devices.
Often, cybersecurity – that is, security focusing on the virtual threat – is given priority. Few realise that a layered cybersecurity approach is critical, as is working with products, services and solutions that are certified, compliant and designed with these risks in mind. A truly robust and holistic approach to security recognises that each piece of technology plays a role in ensuring that a whole system is secure.
Credentials that ensure security compliance
Ensuring high levels of security throughout the supply chain continues to present a challenge. Physical IoT devices, such as IP cameras, that do not meet the required standards ultimately pose a threat to the entire chain, no matter how sophisticated or expensive the cybersecurity investment. An improperly maintained or insufficiently tested piece of equipment could enable backdoor access to malicious parties, putting systems, people and business operations at risk of attack. This risk can be mitigated by working with certified service providers that embed security at the granular level.
The right technologies are those that are deemed secure and fit the requirements of the NIS Directive. In the physical security arena, Secure by Design, Secure by Default accreditation, awarded by the Surveillance Camera Commissioner (SCC), and Cyber Essentials Plus, a certification awarded by the National Cyber Security Centre, are accolades that provide proof of a manufacturer’s security credentials and verification that its products and services are designed and built with security at the forefront.
These credentials play a role in forming the strategic implementation of solid security goals that are aligned with regulation and best practice. It’s important that an organisation establishes that the solutions they are considering have appropriate certifications, will operate with other devices or as part of an overarching platform, and to discuss how security is managed and maintained across the ecosystem. Those installing security technologies can benefit from training and education, provided by an approved provider or device manufacturer, which will cover best practice and explore appropriate measures to ensure high levels of security throughout a project.
The potential for the continued success of the IoT is too great to be hampered by weaknesses in physical systems, such as a forgotten IP-flaw. The challenge does not lie in how to create the ultimate IoT platform, but in securing it across every touchpoint and unexpected vulnerability. Stakeholders should seek reassurance that those organisations operating with credentials that prove that they take security seriously, have achieved significant standards in security and design, and that they can demonstrate that their products meet the minimum requirements expected in terms of cybersecure surveillance and resilience.