The number of devices connected to the internet of things (IoT) is set to more than double in the next five years. While a surge in data promises gains in efficiency and productivity, experts warn of the growing threat from state-sponsored hackers.  

It isn’t the data on the devices that interests the hackers, says Dr Daniel Prince, a cybersecurity expert and senior lecturer in security and protection science at Lancaster University. It’s the fact that these devices – whether they’re smartphones, laptops or tablets – are connected to the internet.

“By utilising and exploiting internet connections, state-sponsored cybercriminals can launch a myriad of attacks,” Dr Prince explains. “Large-scale botnet attacks, for example, are much more effective if you can gain access to thousands of leaky devices via IoT. Once a device has been compromised, it then provides a ‘digital gateway’ for hackers to infiltrate servers and perpetrate wide-reaching cyber attacks.”

State actors

According to Hiscox, virus infestations, ransomware and distributed denial-of-service attacks are the three most common threats. However, data theft by rogue states is becoming much more widespread, the insurer notes. The fear is that such attacks could make consumers more reluctant to trust companies with their information.

Take the cyber attack on Equifax, one of the world’s leading credit reference agencies, for instance. According to the Sunday Times, the company suffered a state-sponsored cyber attack in which the personal data of 145 million Americans – nearly half the country – and around 13 million Britons was stolen: the largest attack of its kind. 

The perpetrators of the Equifax attack, which took place in May 2017 but was only revealed by the FBI in February 2020, were allegedly a team of elite hackers from the Chinese People's Liberation Army (PLA). But there are other rogue states involved. According to a 2018 article in The Wall Street Journal by cybersecurity expert and author Timothy W. Martin, North Korea subjects its southern neighbour to seventeen attacks every second.

Whether attacks that lead to data breaches are state sponsored or perpetrated by criminal networks, Hiscox, which produces an annual Cyber Readiness Report, says they have reached “a new intensity in terms of both frequency and cost”. 

A question of trust

In the face of such events, how can businesses act to regain consumer trust? The first step is to invest greater resources into safeguarding customer data, embedding cybersecurity best practice in their DNA.

For a workforce to be truly cyber-ready, everyone from the CEO to the most junior member of staff must be on board

At Lancaster University, Dr Prince works with a number of SMEs to help them inculcate a culture of cybersecurity from top to bottom. It’s not enough to instil these values in senior staff, he notes.

“For a workforce to be truly cyber-ready, everyone from the CEO to the most junior member of staff must be on board. If the culture is instilled in a company in the early stages, then there’s a much greater chance that it will remain an integral part of the company culture as it grows.”

But even making cybersecurity a central plank in a company’s ethos isn’t enough. A culture of cyber readiness must extend to all companies in the supply chain.  A company is only as strong as its weakest link, Dr Prince says.

He gives the example of third-party entities that use personal data supplied to them by credit reporting agencies. Such agencies may not employ the same level of security measures as their suppliers, rendering their databases vulnerable to attack. This could be a huge problem for the company that supplied the data, he says. 

“The onus is on the owner of the data – in this case the credit agency – to ensure that it only supplies personal information to those that have proven cyber defences in place.”

Preparing for the worst

But to really restore consumer confidence, organisations – particularly those responsible for holding personal data – must implement a highly developed after-market contingency strategy that prepares them for the worst-case scenario. For example, credit reporting agencies are identity providers and should have internal process and systems in place that constantly cross-check records. 

“If they find that a hacker has created a fake identity using stolen data, the system should report it to other agencies and expunge the fraudulent data record. It should not be the problem of the user to clean up the mistake of the company,” adds Dr Prince.

Finally, the general public also have a role to play in realising that in cyber space, even seemingly free products come at a price – data. It may be unclear who will have access to this data, or how it will be used.

 “Ultimately, if we want to protect IoT from hackers, regulators must demand greater governance, accountability and transparency from tech companies, while we must be more cyber aware ourselves,” Dr Prince concludes. 

The number of connected devices is exploding as the internet of things (IoT) plays an increasingly influential and transformational role in nearly every walk of life, at home, in the workplace, on the streets and production lines around the world. There will be 75 billion connected devices by 2025, Statista predicts, and this will help drive huge efficiencies for businesses as well as eliminating mistakes from manual processes. 

As the number of devices continues to increase, so does the sheer weight of unstructured data within enterprises. Cybercriminals seek to manipulate such data for malicious purposes, intercepting IoT communications, from a sensor to a server, user to user or sensor to user, and altering its flow for their own personal gain. This could mean modifying the data to steal information, changing a value for financial gain or even industrial sabotage and state-funded cyberterrorism. 

The wide influence and availability of IoT, and opportunities for malicious actors to intercept communications, poses a major risk to businesses. However, cybercriminals don’t always try to attack inside the businesses themselves because that’s hard to do. Though many prevention methods within organisations are not as effective as business leaders would like, 95 per cent of companies do nonetheless have a formal security policy in place that is shared with employees, according to an IDG study. 

It is therefore far easier for hackers to concentrate on a business user that is working remotely, such as behind a personal firewall at home where the connection and devices are far less secure.

The rise of digital personal assistants, such as Google Home and Amazon Alexa, has exacerbated this threat and widened the attack surface. By targeting these kinds of sensors, hackers have new opportunities for stealing sensitive information. Last year, Security Research Labs claimed malicious apps could be designed to listen in on people’s conversations through Amazon’s Echo and Google’s Nest devices.

“We’re seeing a very different kind of threat,” says Adam Enterkin, senior vice president of sales, Europe, Middle East and Africa, at BlackBerry. “It’s not just the data itself in its rawest form that’s under threat, but also voice information, certainly from a remote attack point of view. Anyone has been able to use a microphone for many years, but not had access to it unless it was right in front of them. That’s definitely something we see has changed.”

With flexible working only set to rise further, enterprises need to ensure they are secure. Yet while companies are surely investing in cyber-prevention, the frequency with which high-profile breaches are exposed in the media is not slowing. The recent attack on foreign exchange giant Travelex is just the latest in a long line of large companies whose customers expected more robust cyber-processes from them. 

Often, hackers aren’t concerned about whether it’s a mobile, server or desktop, they’re just trying to get in by whatever means they can. 

“Some are now even chucking a USB key onto porches for kids to pick up and then put into the home computer or laptop. The hacker then has access to the families’ systems,” says Enterkin. “On top of that, an awful lot of people will have similar passwords for personal devices and their corporate systems. So, once a home laptop has been infiltrated, hackers can decipher passwords and get into corporate systems that way.”

A mentality shift is required among IT security professionals to ensure greater protection in the IoT age. Chief information security officers have spent years implementing policy-driven ways of protecting their assets, data and individuals, but enforcing the same rules and controls on everyone results in very inflexible ways of working. 

Traditionally, companies will deploy their IT services, acquire policy-driven devices and security measures, and then see what’s happening in their environment. Based on information they see around threats and vulnerabilities, they then retrospectively try to fix the issues that exist. 

This reactive approach cannot survive for long in the fast-changing world of IoT. Instead, BlackBerry is advocating beginning with a “left shift”, which requires a full review of security measures before deploying anything, rather than the other way around. It involves implementing a secure development life cycle and ensuring software is already at a certain security standard before it is deployed. 

There is no other company in the world that’s better positioned to protect data through the internet than BlackBerry

 Crucially, it also means looking at more adaptive ways of applying security, driven by artificial intelligence (AI) and machine-learning algorithms which learn from all the data and behaviour that is monitored across an enterprise environment. In the IDG study, seven in ten IT professionals said it’s only a matter of time before the window of vulnerability has a negative effect on their business continuity. 

By feeding AI-driven insights back into their systems, businesses can close the window of vulnerability and constantly evolve their approach to security. The transformative effect AI has on security was the key driver behind BlackBerry’s acquisition last year of cybersecurity firm Cylance.

“There’s a huge amount of data collated in IoT. We can analyse that data and start to build mathematical algorithms which we then apply to an AI process,” says Enterkin. “Based on this information, we can start to predict what’s happening. We can look at every single thing that’s happened in malware and viruses over the last 30 years and predict how a virus or a piece of malware in the future will react and respond. 

“By using AI and machine-learning models, we also end up in a position where not only are we more secure, but there is fundamentally a better user experience. Based upon set metrics and an analytical view, we can decide whether something is normal or requires action. BlackBerry is championing the user experience and enabling IT to be as frictionless as possible for employees, while providing robust security at the same time. 

“There is no other company in the world that’s better positioned to protect data through the internet than BlackBerry because we’ve been doing it for the best part of 40 years. We can provide security at any level, including mobile devices, desktop and IoT. There are 150 million cars around the world today using BlackBerry software to communicate. We are even operating on the International Space Station. So BlackBerry is much more than just a mobile company. We provide security with a seamless touch.”

For more information please visit blackberry.com

While the benefits of the internet of things (IoT) are wide-ranging, it has also raised a number of security concerns. Products tend to have little built-in protection, and the sheer number of devices only makes things easier for cybercriminals.

In the last few months alone, we’ve seen vulnerabilities revealed in Ring doorbells, Philips Hue smart lightbulbs, Amazon security cameras and smart TVs. Indeed, according to research firm Ponemon Institute, unsecured IoT devices or applications accounted for more than a quarter of all information security incidents between 2017 and 2019, while nearly nine out of ten organisations expect some sort of IoT-related cyber attack in the next two years.

Three principles of IoT security

However, governments are waking up to the danger. Earlier this year, for example, the UK announced new legislation designed to ensure that all IoT devices sold in the country adhere to three central security requirements.

I think the [UK] government’s taken the right approach … We can eradicate some of the worst examples, while still allowing an innovative IT market 

First, all consumer internet-connected device passwords will have to be unique, and not resettable to any universal factory setting. Second, manufacturers must provide a public point of contact so anyone can report a vulnerability, and act on reports in a timely manner. Finally, they must explicitly state at the point of sale, either in store or online, the length of time for which they'll provide security updates.

“Our new law will hold firms manufacturing and selling internet-connected devices to account, and stop hackers threatening people’s privacy and safety,” said Digital Minister Matt Warman at the launch. “It will mean robust security standards are built in from the design stage, and not bolted on as an afterthought.”

The three principles are drawn from a wider code of practice for the industry that consists of 13 voluntary guidelines protecting credentials, communication and personal data. Matthew Evans, director of markets at technology trade association techUK, says he believes they will prevent many low-level attacks, without placing too many restraints on manufacturers.

“I think the government’s taken the right approach by developing that best practice in these three areas that are really the core priority,” he says. “We can eradicate some of the worst examples, while still allowing an innovative IT market.”

Similar legislation is starting to appear elsewhere around the world. At the beginning of this year, laws came into effect in the US states of Oregon and California requiring IoT devices to have “reasonable” security, which is interpreted in a very similar manner to the UK’s new rules.

Meanwhile, the European Telecommunications Standards Institute (ETSI) has created a technical standard, Technical Specification 103 645, based on the same three principles as the UK’s code of practice. It’s now working to transpose this into a European Standard.

“The government has been working with Australia, with the US, with the EU member states on this,” says Mr Evans. “And what this means for some of our manufacturing members is that they're able to comply – if they weren't already – at very minimal cost, because it's an international approach."

Should devices carry a kite mark?

Undeniably, however, the new regulations only cover the basics – and it’s notable that there's no certification scheme.

“What a consumer is looking for is something like a kite mark to say this has been tested within certain areas and has a set level of principles, because sometimes I think that we're putting too much onus on the consumer to understand what’s out there,” says Ian Heritage, chief security architect at security firm Trend Micro.

The idea of a kite mark was ultimately dismissed over fears that it would be too complex, Mr Evans says.

What a consumer is looking for is something like a kite mark to say this has been tested within certain areas and has a set level of principles

"Would it be a dynamic label, so essentially we'd be asking the customer to look at a QR code and go online?” he asks. “It fell down on complexity, but also on the actual utility, as to whether it would make that much of a difference to consumers.”

While current efforts at regulation are undeniably light touch, it seems likely that they will gradually be expanded over the coming years – probably through the inclusion of other elements of the 13 guidelines.

In the meantime, says Mr Heritage, “I would call it a shared responsibility. There's a responsibility on the manufacturers, but there's also a responsibility on the consumer to be demanding that the device is going to be secure over the lifetime of the product.”

The proliferation of Internet of things (IoT) devices is set to make our future cities smarter, more efficient and better connected, from transport and smart power grids to cleaner air and communications. But with so many links in the chain, are we exposing our urban landscapes to unforeseen weaknesses and security threats? 

The simple answer is yes: connected systems like smart cities greatly increase the potential attack surface for cybercriminals. The very technologies that help engage citizens and provide better services also introduce new, internet-connected access points that can be compromised.

Highly connected systems – combined with hackers’ interest in compromising them for political and economic purposes – are more vulnerable than ever 

“The cyber threats facing current and future smart city implementations are potentially significant,” says Merritt Maxim, vice president and research director, security & risk, at analyst firm Forrester.

“The rapid adoption of smart city technology is transforming government operations and citizen services from everything to bill payment to smart lighting, smart parking and video surveillance,” Mr Maxim continues. “At the same time, these highly connected systems – combined with hackers’ interest in compromising them for political and economic purposes – are more vulnerable than ever.”

Taking action

Mr Maxim points to the steady rise in attacks on municipal infrastructure, ranging from ransomware attacks in places like Atlanta, Georgia in the US to public transit shutdowns owing to distributed denial of service attacks in Europe. The heightened awareness of such attacks is prompting governments and cybersecurity professionals to act.

Emerging technologies like artificial intelligence (AI) and machine learning (ML) have been identified as potentially playing a part in safeguarding smart cities. For example, they can take on a significant proportion of first line monitoring and alerting of issues, “doing it faster and in greater volume than manual processes can ever do”, says Deshini Newman, managing director EMEA at cybersecurity association (ISC)².

The obvious concern is still unforeseen exploits, which is where a multilayered security approach and the reduction of single point-of-failures is so critical 

“It is the most effective use for the technology we have developed so far, whether that is monitoring network traffic for anomalies in activity or taking on the detailed communication of reporting and notification when an incident occurs, such as an attempted or successful intrusion,” Ms Newman says. 

AI and ML could also be valuable in monitoring the availability of systems. By analysing and building models of power output and demand, or traffic and resource utilisation, cities will be able to become truly “smart”, rather than just internet-connected, says Regina Bluman, head of brand and marketing at IT systems and service provider Logicalis UK.

“The obvious concern is still unforeseen exploits, which is where a multilayered security approach and the reduction of single point-of-failures is so critical,” she says. This can only be achieved through taking a multifaceted view of any IoT project under consideration, she adds. While a particular line of business may be the most invested,  “it is critical that these projects are reviewed and approved from both a data security and privacy perspective to ensure that there are no ‘blind spots’ when scoping vulnerabilities”, Ms Bluman adds.

People power

However, while AI and ML can play a significant role in helping defend against these risks, Mr Maxim notes that they are “not the magic elixir” that will solve all cybersecurity problems with smart cities. Firms should now start creating private/public partnerships with a trusted network of independent, government, and community partners for resource and intelligence sharing, he says. 

“Some of the largest US cities in the race to digitise, like New York and Los Angeles, have developed successful partnerships with federal bureaus, academia, and security and technology vendors to share intelligence and resources to bolster defences for all.”

It is important to form an integrated security operations centre and share resources, implement critical asset protection programmes, conduct annual risk assessments and testing, and educate employees, developers, and decision makers about security.

“More than ever, the broad ecosystem of suppliers, customers, governments, and regulators needs to engage in the security conversation. Educating business decision makers ensures they understand the consequences of their decisions and makes funding your security programme easier,” notes Mr Maxim. 

It seems clear that while AI and ML will play a key role in securing the smart cities of the future, success ultimately depends on people. 

“AI systems are only as safe and secure as the people charged with protecting them,” says Ms Newman. “It’s a custodian role that still ultimately sits with skilled individuals and teams, not with autonomous IT alone.”