IoT security cannot be an afterthought: it must be the foundation of design

As technologies for the internet of things mature, developers need to make security by design a fundamental part of their products

For too long, our approach to cyber security in the internet of things (IoT) has been: “Security? Yeah, we’ll do that once we sort out this bit”. To be honest, most parts of the digital economy have gone through this phase – and it’s easy to understand why.

If you’re building an exciting new product or service then you naturally focus on the opportunity at hand – what problem will it solve, and how will you market and sell it?

But as digital technologies mature, developers also realise they have to consider how to build a new product securely, from the ground up – and so it is now with IoT.

We know this is incredibly important for two reasons. First, research that TechUK has undertaken with GfK on consumer attitudes to the “connected home shows concerns about privacy and security are some of the biggest barriers to the adoption of this technology.

Second, unsecured devices can be grouped together to attack other parts of the internet, as we have seen with increasingly large denial of service (DDOS) attacks.

Security by design

It is for these reasons we have been involved with and strongly support the government’s recent Secure by Design report. In taking action, we are reassured that government pushed to strike a balance between allowing the fantastic innovation that we are seeing in the IoT market and ensuring concerns about security don’t undermine trust in IoT.

That innovation in IoT is making tangible differences to people’s lives – look at the incredible work being trialled as part of the Diabetes Digital Coach programme in the west of England. As well as the life-changing uses of IoT, it can also help out in some of life’s more mundane but expensive issues, such as helping to alert people to a burst pipe at home.

Read more about IoT security

Government’s proposed approach is based around a Code of Practice for device manufacturers, service providers, app developers and retailers. It has 13 points in total, but we want to highlight the priority areas, which are: no more default passwords; implement a vulnerability disclosure policy; and keep software updated for a defined time period.

We will be working closely with government on the wording of some of these and how they will be implemented. But, be in no doubt, these are basic measures which every company should be adhering to. 

Building trust

Alongside the Code of Practice, government has floated a potential labelling scheme for IoT products to help inform the consumer and build trust in companies participating. In principle, it is a good idea and can be a tool in helping consumers attribute value to security.

On a practical level, security, given the evolving threat landscape, is much more of a movable feast than, for example, energy efficiency. TechUK will be working with our members, government and industries to see if we can achieve the principle in a sensible way.

The government is also taking this approach to an international level as part of its efforts to create a safe but innovative and open internet. This is really important. Creating a culture of confidence and trust in IoT and digital technologies is critical in itself.

It’s time for IoT to mature but growing up first has its advantages. By the UK becoming a leader in how to shape and guide these innovations – just as we believe we can in the matter of ethics in artificial intelligence – we can also attract talent and investment to Britain from around the world.

Read more on Internet of Things (IoT)

Data Center
Data Management