Internet-connected consumer devices can provide economic and social benefits. Weaknesses in the cyber security of these devices can undermine the privacy and safety of individual users, and can be used for large scale cyber-attacks.
Insecure devices can compromise consumers ‘privacy and security or be hijacked and used to disrupt others’ use of the internet. In 2016, the UK Government committed £1.9bn to cyber security over five years, as part of its National Cyber Security Strategy. This included an objective for most new online products and services to be cyber secure by default by 2021. In March 2018, the Department for Digital, culture, Media and Sport (DCMS) proposed a voluntary Code of Practice for industry to ensure that devices are ‘secure by design’, with strong security built in, reducing the onus on consumers to securely configure their own devices. This code was published in October 2018.
Causes of Poor Cyber Security
A range of economic and technical drivers have contributed to the poor cyber security of many consumer devices. User behaviour is also an important factor for device security.
The US National Institute of Standards and Technology suggests that vulnerabilities are often difficult to discover and correct, and more should be done during software development to prevent, identify and mitigate them. Best practice guidelines recommend that device producers establish a vulnerability disclosure policy, including providing a public point of contact to which vulnerabilities can be reported when they are discovered, and a process for remediation. Firms routinely release security updates for devices such as laptops and smartphones to address known software vulnerabilities. Some updates are automatic, but many require users to install them. A 2016 survey of 2,000 connected device owners found that 40% had never knowingly updated their devices.
Security may also be affected by the choice of hardware. Due to physical, technological or cost constraints, many small internet-connected devices have limited processing power, battery life, data storage, and capacity to transfer data.
Consumer surveys by the cyber security industry report show that poor cyber security practices are common. These include using default, weak, or reused passwords. The Government has highlighted that consumers lack the information needed to assess security when buying devices, saying that cyber security should not rely on users and that devices should be designed to be secure and easy to manage.
Approaches to Improving Cyber Security
Efforts to improve the cyber security of consumer products have focused on establishing good practice in industry, informing consumers, and developing the cyber security skills of consumers and those involved in producing and supplying devices. Steps are also being taken internationally to address cyber security challenges.
In 2018, DCMS consulted with industry and academia to produce the Code of Practice for Consumer loT Security, which outlines good practices for the development, manufacturing and retail of connected consumer devices. The guidelines aim to encourage the integration of cyber security into products, reducing the burden on consumers to ensure that their devices are secure.
The top three guidelines are:
* Eliminate non-unique default passwords
* Adopt a vulnerability disclosure policy (Technical Drivers)
* Make secure software updates available for an explicitly stated length of time
Source: Houses of Parliament – Parliamentary Office of Science and Technology
For further information on improving your Cyber Security please get in touch with Brookcourt Solutions today: firstname.lastname@example.org