Earlier today the Federal Trade Commission released a report on critical security and privacy issues related to Internet of Things technology. With over 25 billion devices connected to the internet worldwide – a number the FTC expects to exceed 50 billion by 2020 – the FTC’s report proposed security guidelines for manufacturers of IoT devices. According to Chairwoman Edith Ramirez, the FTC hopes that “by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”
As summarized in the FTC’s press release issued today, the FTC’s guidelines for companies developing Internet of Things technology are as follows:
- “build security into devices at the outset, rather than as an afterthought in the design process;
- train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
- ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
- when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
- consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
- monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.”
These best practices, and much of the rest of the report, are the product of the FTC’s November 2013 workshop, The Internet of Things: Privacy and Security in a Connected World. The workshop brought together technology experts, industry representatives, and consumer advocates to discuss the benefits and risks of IoT technology. Workshop participants identified numerous benefits being provided by current Internet of Things devices, from connected medical devices to smart home appliances and cars. As for risks, three core IoT security risks were identified in the FTC’s report: “(1) enabling unauthorized access and misuse of personal information; (2) facilitating attacks on other systems; and (3) creating risks to personal safety.”
|
Blog Post An Expert Guide to Securing Sensitive Data: 34 Experts Reveal the Biggest Mistakes Companies Make with Data Security |
This report comes as the latest in the US government’s heightened focus on cybersecurity. As with Obama’s cybersecurity proposals outlined in his State of the Union address last week, increased security focus at the government level is a positive sign for consumers and the infosec industry alike. However, the FTC’s guidelines are just that – it is up to the private sector to accept them and put them into practice when developing IoT devices. And much like the PCI-DSS, these guidelines offer a great starting point for protecting consumer privacy but are by no means comprehensive or exhaustive given the range of risks facing different types of IoT technology.
At the highest level, however, the FTC’s best practices should be adapted to any type of software or technology development. Themes like building security into the development process, providing ongoing employee security training, accounting for counterparty security, and adopting a “defense in depth” security approach are messages we hear often in the information security industry. And as recent breaches prove, monitoring and preventing unauthorized access to sensitive data should be key priorities for any enterprise operating today.
While a positive sign in and of itself, the true impact of the FTC’s guidelines is yet to be seen. I, for one, am eager to see how the technology industry reacts as well as if any of these best practices are incorporated into future cybersecurity and/or data breach laws.
Image via John Taylor/Flickr
