Beware the ticking Internet of Things security time bomb

Debate focuses on moving full-speed ahead with IoT vs. pausing to build in security first

TIE Startup Con panel
Bob Brown/NetworkWorld

IBM’s Andy Thurai didn’t quite put the words into former RSA CTO Deepak Taneja’s mouth, but did prompt him by asking at the start of a TIE Startup Con panel in Cambridge, Mass., earlier this month whether Internet of Things security is a “time bomb ready to explode.”

Taneja responded that technology is advancing at a rate that’s outstripping enterprises’ ability to secure internal and cloud resources, and then along comes IoT in the form of all sorts of networked sensors and gadgets. “Organizations aren’t spending that much on security. It’s increasing, but it’s not enough and IoT only makes it worse,’ he said. “So it is a time bomb.

Money will start being spent on IoT security once serious breaches occur, said Taneja, who sold security company Aveska to EMC in 2013.

Thurai (@AndyThurai), who moderated the panel also featuring LogMeIn’s Paddy Srinivasan (@Paddix) and IDC’s Rohit Mehra (@rmehraidc), was by no means suggesting that anyone should put the brakes on IoT development. In fact, he reiterated throughout the session that to some degree “you can’t worry about security and privacy when you’re innovating.” Not that he was suggesting anyone be reckless. “Do it as a lab exercise if you need to,” said Thurai, who is program director at IBM for API Economy, IoT and Connected Cloud. 

+ ALSO FROM TIE STARTUP CON: Billions of reasons to listen to these Unicorn start-ups +

Srinivasan, VP and head of products for Xively Internet of Things at LogMeIn, said that a big difference between the emergence of IoT and cloud computing is that lines of business were the main catalysts for the cloud whereas OEMs of physical products (say light bulbs) have taken the lead on IoT. “Most of them barely have IT staff,” said Srinivasan, whose company offers remote access and support via a SaaS model. 

The perceived information security risk of installing a non-networked light bulb is basically zero, but “the minute you connect it, there are so many things you have to think about… Most OEMs spent decades building those products and honestly don’t have that much software savvy.” Coming up with cost efficient security will be a challenge, but he said it should be worth it to the OEMs since they stand to transform service and sales enablement. He cited Michelin’s strategy to sell “tires as a service,” using embedded technology to detect wear, under-inflation, etc. 

IDC’s Mehra says the key to IoT security will be baking security in to IoT devices or at least integrating it as a service from a partner company (IDC sees the number of IoT devices – including those that process data and don’t -- exploding from 9 billion in 2014 to 30 billion by 2020). Otherwise, IoT vendors “run massive risk of their business plans falling apart,” he says.

RELATED: FTC Chairwoman speaks on IoT security

Even if IoT device makers are thinking about security now, a problem is that no one really understands yet what’s needed security-wise, Taneja said. Issues such as data ownership, when it comes to wearables, are up in the air. “As a security industry we haven’t come up with models to deal with this,” he said.

And that’s a major reason why Thurai says he isn’t wearing any body media yet. After all, there are companies out there looking to monetize data from him and others, without giving him a cut. "It's almost like credit bureaus buying and selling info about you, and the only one who doesn't know anything about you is you," he says.

Although panelists and other attendees said IoT vendors can certainly sweeten the offer to tap into your data if they figure out ways to crunch it and then deliver valuable feedback to you (say such as sharing smart toothbrush information with users that would help them cut dental costs over time by helping them perfect their hygiene techniques).

Mehra expects that regulations will be developed to help protect data and give users more control over it, on an opt-in basis, as has been the case with HIPAA in healthcare.

Though Taneja says the emergence of such regulations may not faze most people, like the many who can’t be bothered to read the big and arcane legal agreements they’re peppered with every time they sign up for a new web service, such as Facebook or something from Google.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2015 IDG Communications, Inc.