The term Internet of Things (IoT) has almost been beaten to death at this point, as more and more security integrators, manufacturers and customers take advantage of the ability to increase connectivity between devices (and therefore take on the dangers this introduces).

But the methods by which we interact with the IoT and protect its devices are still catching up, which means security manufacturers must take part in shifting their focus toward safeguarding data, engaging in vulnerability testing of products and incorporating stringent protections at every stage of the product development process. One small leak or breach on a single connected device can potentially cause significant damage across an organisation

Who is responsible for IoT security?

One small leak or breach on a single connected device can potentially cause significant damage across an organisation, creating a disruption within a company, affecting its assets, employees and customers. The continued question seems to be: Who is ultimately responsible for the security of IoT devices?

In a recent survey from Radware, a provider of application delivery and cybersecurity solutions, there was no clear consensus among security executives when asked this question. Thirty-five percent of respondents placed responsibility on the organisation managing the network, 34 percent said the manufacturer and 21 percent chose the consumers using the devices as being primarily responsible. 

Several schools of thought exist for each:

  • The Organisation

It's not surprising that most people see the organisation as the main stakeholder for IoT security responsibility; after all, if a company is managing a network, one would expect it to protect the network as well.
One way that the organisation can embrace this responsibility is by adopting a user-centric design with scalability, tactical data storage and access with appropriate identification and security features (for example, the use of multilevel authentication through biometrics in access control).
Organisations must also use their IT team to strengthen the overall cybersecurity of the IoT by keeping up with the latest software updates, following proper data safety protocols and practicing vulnerability testing.

  • The Manufacturer

Manufacturers that provide IoT-enabled devices as part of a security system must be fully knowledgeable of the risks involved and effectively communicate them to the integrator or end user.
Providing the education necessary and dedication to protecting users of its equipment makes a manufacturer more trustworthy and understanding in the eyes of an end user. Ensuring encryption between devices is a key step that manufacturers can take to work toward achieving complete protection in the IoT.

  • The User

Despite the protection delivered by the organisation and manufacturer, there's always the option for IoT security to be enhanced or possibly even diminished by the individual user. It's critical that best practices for data protection are in place every time an individual uses a device that is connected to the network.
These include disabling default credentials, proper password etiquette, safe sharing of sensitive information and the instinct to avoid any suspicious activity or requests. Manufacturers that provide IoT-enabled devices as part of a security system must be fully knowledgeable of the risks involved

The short answer to the responsibility question is this: everyone. Each sector has a responsibility to contribute to the protections needed for IoT-enabled devices.

However, as a manufacturer, it is imperative that our teams think about each level of protection when developing products for public consumption, including how the organisation implements the technology and how the integrator engages in training with users. 

IoT issues caused by organisations
Organisations must also use their IT team to strengthen the overall cybersecurity of the IoT by keeping up with the latest software updates

Manufacturer vulnerability testing

One way that manufacturers can implement added protections against outside threats is by boosting their attention to security protocols in the product development stage. For some, this requires a different approach in the design and development of security systems. Identifying vulnerabilities is at the core of this.

A security vulnerability in a product is a pattern of conditions in the design of a system that is unable to prevent an attack, resulting in weaknesses of the system such as mishandling, deleting, altering or extracting data. Increased connectivity makes these vulnerabilities more of a liability, as IP-enabled (or networked) devices are more likely to be breached by outsiders looking to permeate an organisation and collect valuable data. 

A security vulberability in a product is a pattern of conditions in the design of a system that is unable to prevent an attack, resulting in weaknesses of the systemWhile some of these hacks are a little more “simple” in nature — such as outsiders trying to guess a password using manufacturer-set passwords — others are more complex, such as a denial-of-service, where attackers attempt to overload the system by flooding the target with excessive demands and preventing legitimate requests from being carried out. This makes it virtually impossible to stop the attack by blocking a single source.  

As a result of these potential threats — and to help manufacturers deliver best-in-class products — it's imperative that vulnerability testing is done throughout a product's development, starting at phase one in the process.

This includes analysis of the type of cyberattacks that can potentially attach, breach and disable a system. Many manufacturers attempt to hack their own products from within the organisation — or even go as far as hiring a third-party professional group to do it for them. 

Success in a volatile technology landscape 

This kind of development puts a product through rigorous levels of testing, and once weaknesses are exposed, they can be patched up and the cycle of attack-and-defense can take place until the product is protected fully and ready for market.

Skipping this step in the development process can open manufacturers up to significant liability, so it's important for this testing to take place and corrective actions be taken to rectify gaps in security. The more extensive an organisation's security testing approaches are, the better are its chances of succeeding in an increasingly volatile technology landscape. 

But the testing doesn't stop in the development stage. Attacks on a system continue long after the product has been introduced to market, requiring continued updates to be made available in an effort to protect customers. Manufacturers are tasked with implementing further firmware updates to keep a product in the field readily prepared to revoke the latest critical bugs that can affect the market. 

What end users demand from security

We're seeing a significant shift in the education and demand from a customer perspective. In the past, consumers took the advice of integrators and consultants as far as the “right” security systems to install for their needs. Today, the self-education of end users is on the rise as more and more IT departments become involved in the selection and investment of physical access control systems. We're seeing a significant shift in the education and demand from a customer perspective

A larger number of end users are demanding security products that meet IT standards of network protection, and they take these considerations into account when working with integrator partners on the selection of systems to meet their needs.

As a result, manufacturers are tasked with not only developing robust IoT-centric products, but also continuing to be involved on a regular basis in an effort to continuously keep organisations safe. 

A comprehensive security strategy from manufacturers must involve multiple levels of product selection, testing and integration — centered on the team-based approach to implementing training and protocols within an organisation.

While manufacturers are stepping up their game in the development of robust products, this remains a team effort that must be addressed every week — not something you implement, then forget about. The safety of data — and the entire organisation — depends on it.

Download PDF version

Author profile

Kim Loy Director of Technology and Communications, Vanderbilt Industries

In case you missed it

Artificial intelligence: why you should enable deep learning and video analytics
Artificial intelligence: why you should enable deep learning and video analytics

Constantly optimising deep learning algorithms yields better video analytics performance, even in complex applications such as facial recognition or in scenarios with variable lighting, angles, postures, expressions, accessories, resolution, etc. Deep learning, a form of artificial intelligence (AI), holds the potential to enable video analytics to deliver on long-promised, but not often delivered performance. Our AI series continues here with part 2. Adapting existing hardware Today, low-cost system-on-chip (SoC) camera components enable deep neural network (DNN) processing for the next generation of intelligent cameras, thus expanding the availability of AI processing to a broader market. AI software can even add learning capabilities by adapting existing hardware to AI applications AI software can even add learning capabilities by adapting existing hardware to AI applications. Today’s smartphones include cameras, gyroscopes and accelerometers to provide sufficient data to drive AI applications. Software can adapt existing hardware to transform them into AI devices capable of continuous learning in the field. Inside a video camera, real-time deep learning processing can be used to detect discarded objects, issue loitering alarms and detect people or objects entering a pre-defined field. Data capture form to appear here! Detect anomalous data Additional capabilities are applicable to demanding environments and mission-critical applications, such as the perimeter protection of airports, critical infrastructures and government buildings, border patrol, ship-tracking and traffic-monitoring (e.g. wrong-way detection, traffic-counts and monitoring roadsides for parked cars: all vital video security solutions). IoT is transforming the lowly security camera from a device that simply captures images, into an intelligent sensor that plays an integral role in gathering the kind of vital business data that can be used to improve commercial operations in areas beyond security. For example, cities are transitioning into smart cities. Deep learning enables systems to search surveillance footage, to detect anomalous data, and to shift surveillance from post-incident response to providing alerts during, or even before, an event. The ability of deep learning for video analytics is much more sophisticated and accurate Make critical decisions Deep learning can eliminate previous video analytics limitations such as dependence on a scene’s background. Deep learning is also more adept than humans at discerning subtle changes in an image. The ability of deep learning for video analytics is much more sophisticated – and accurate – than the programmed approaches previously employed to identify targets. AI is a timely solution in an age when there is more video surveillance than ever. There are too many cameras and too much recorded video for security operators to keep pace with. On top of that, people have short attention spans. AI is a technology that doesn’t get bored and can analyse more video data than humans. Systems are designed to bring the most important events and insight to users’ attention, freeing them to do what they do best: make critical decisions. Multiple camera streams AI can reduce information overload to enable humans to work with the data more efficiently The video benefits reflect the larger goal of AI to amplify human skills. AI can reduce information overload to enable humans to work with the data more efficiently. Another benefit is faster search, and new systems make searching video as easy as searching the internet. AI enables specific people or cameras to be located quickly across all the cameras at a site. Searching can be directed by a reference images or by physical descriptors such as gender or clothing colour. Consider a scenario of a child missing from a crowded shopping mall: Every second can seem like hours, and artificial intelligence and neural networks can enable a rapid search among multiple camera streams using only one photo of the child. The photo does not have to be a full-frontal passport-type photos; it could be a selfie from a party as long as the face is there. Intrusion detection scenario AI can find her and match her face from among hundreds of thousands of faces captured from video, in nearly real time. AI can also continuously analyse video streams from the surveillance cameras in its network, distinguishing human faces from non-human objects such as statues and animals. Privacy concerns are minimal as there is no ID or personal information on the photo, and the image can be erased after use. And there is no database of stored images.    In a perimeter security/intrusion detection scenario, an AI-driven video system can avoid false alarms by easily distinguishing different types of people and objects, e.g., in a region set up to detect people, a car driving by, a cat walking by, or a person’s shadow will not trigger the alarm. Part three coming soon. If you missed part one, see it here.

3 key security tips for public event planners
3 key security tips for public event planners

Public spaces in cities and suburbs are important places for community development and promoting outdoor recreation. These areas may include main streets, parks, promenades, band shells and fields. Such locations are often utilised by public event planners for community activities, including summer festivals, wintertime ice skating rink installations, music concerts and art fairs. As the year draws to a close, holiday and Christmas markets as well as major New Year’s Eve events, present cities with constant public event security needs. The public nature of these events increases risks of incidents with high-speed vehicles that put attendees in danger. Fortunately, there are three ways for public space managers to prevent casualty-causing collisions and further promote the use of local public areas. Developing an effective action plan    When strategising how to react to an alert, think about what time of the year and time of day the event is occurring It is important to have a plan developed before an incident or accident occurs. Warning systems, utilising doppler radar and digital loop technologies, alert guards to abnormal vehicle velocity changes in the surrounding area. Managers of public areas should organise a meeting with public safety authorities and local agencies to discuss what must immediately occur when a high-speed vehicle is approaching a public event. When strategising how to react to an alert, think about what time of the year and time of day the event is occurring. Having such a reaction plan in place combines technology and strategic planning to ensure everyone is on the same page to effectively target a threat and promote overall event safety. Securing public areas  Ideally, there will be no need to implement a well-conceived action plan. After all, taking preventive measures to secure public areas where events take place is important to keep people safe from accidental vehicle collisions and intentional attacks. Protect attendees by clearly separating pedestrian and vehicle locations using security devices such as – Barricades Portable barriers Bollards Install guard booths  Avoid the risk of vandalism and theft, making sure people are safe when walking back to the cars at night by keeping parking areas illuminated with flood lights. Install guard booths with employees who monitor activity in the parking area and who are prepared to react if an alert is triggered. Furthermore, prevent accidental collisions by clearly marking the parking area with informative warning signs and using barricades to direct traffic. These three tips can be used by public area managers to promote security at the next community event. Additionally, the technologies used to secure an event can also be used as infrastructure for year-round security. Installing gates that shut when the public space is closed or using aesthetically pleasing bollards are steps any public area manager can take to promote community safety.

Choosing your security entrance installation in line with your company culture
Choosing your security entrance installation in line with your company culture

The extensive analysis and discussion preceding any decision to implement a new physical security solution – whether it’s hardware, software or a combination of both – often focuses on technology, ROI and effectiveness. When it comes to deciding what type of security entrances to install at your facility, you will almost certainly also consider the aesthetics of the product, along with throughput and, if you’re smart, you’ll also look into service concerns. Each of these factors has its important place within the evaluation process, and none should be overlooked as they all have a significant effect on how well your entrances will perform once they are installed. Culture influences door solution decisions How significant will the change from current entrances to security entrances be for employees? Still, one additional factor actually trumps everything: if you have not considered your organisation’s culture in choosing a security entrance, you may be missing the most important piece of the puzzle. Culture is a part of every other decision factor when selecting an entry solution. Before you make a decision about what type of entrance to deploy, you need to consider and understand the values, environment and personality of your organisation and personnel. For example, how significant will the change from current entrances to security entrances be for employees? If people are accustomed to simply walking through a standard swinging door with no access control, this will be a culture change. Beyond this, whether you are considering a type of turnstile, a security revolving door or possibly a mantrap portal, simply walking through it will be a significant change as well. Training employees on door security You’ll want to know whether employees have ever used security entrances before. If these types of entrances are in place in another part of the facility, or in a facility they’ve worked in at an earlier time, the adjustment will not be as great as if they’ve never used them at all. Consider, too, how your personnel typically react to changes like this in the organisation or at your facility. They may be quite adaptable, in which case there will be less work to do in advance to prepare them. However, the opposite may also be true, which will require you to take meaningful steps in order to achieve buy-in and train employees to properly use the new entrances. With the increased importance of workplace security, discussing new entrances with  workforces will help maintain a safer environment Communicate through the decision-making process All of this will need to be communicated to your staff, of course. There are a number of ways to disseminate information without it appearing to come down as a dictate. Your personnel are a community, so news about changes should be shared rather than simply decreed. As part of this process, you’ll need to give some thought to the level of involvement you want for your staff in the decision-making process. Finally, do not overlook the special needs among your personnel population. You undoubtedly have older individuals on staff, as well as disabled persons and others who bring service animals to the office. Entrances need to be accessible to all, and you never want to be in the position of having a gap in accessibility pointed out to you by the individual who has been adversely affected. New security entrance installation By communicating early and often with your personnel, you can alleviate a great deal of the anxiety Once you have made the decision about which security entrances to install, training your personnel on how to use the new security entrances – both before and after the installation – will help to smooth the transition. Because workplace security is such a big issue right now, it makes sense to discuss the new entrances in the context of helping to maintain a safer environment. They will prevent violent individuals from entering, decrease theft, and most of all, promote greater peace of mind during the workday. If you can help them take control of their own safety in a responsible way, you have achieved much more than just a compliant workforce. By communicating early and often with your personnel, you can alleviate a great deal of the anxiety and concern that surrounds a significant change in the work environment. Schedule group meetings Consider your employees; what type of communications do they respond best to? A few suggestions to educate staff on the benefits of the new entrances include: Typically, you would communicate a general message 2-3 months in advance and then provide more specific information (for example, impacts to fire egress, using certain entrances during construction) in a follow up message closer to the installation date. Schedule group meetings to: announce the rationale for increased security, share statistics on crime, review the new security changes that are coming, show drawings/photos of the new doors/turnstiles, and show the orientation videos available from the manufacturer. These meetings are an excellent way to work through user questions and directly address any concerns. Once the installation of a new security system is complete, it is a good idea to have an "ambassador" on board to help employees use these new systems Ensure you monitor public areas If you are implementing a lot of new changes, such as a new access control system, new guard service and security entrances, you might consider hosting a ‘security fair’ on a given day and have the selected vendors come for a day with tabletop displays to meet employees and answer questions during their lunch. This could be a great way to break the ice in a large organisation. Make user orientation videos (provided by the manufacturer) available in several ways, for example: Intranet Site Monitors in public areas—lounges, cafeteria, hallways, etc. Send to all staff as email attachments Immediately after installation, once the doors or turnstiles are operational but before they are put into service, train ‘ambassadors’ on how to use the door/turnstile. Have these people monitor and assist employees during peak traffic times. What is the ultimate success of the installation? By communicating clearly and openly with your population you can greatly facilitate adoption and satisfaction If you have thousands of employees, consider dividing them into groups and introduce the new entrance to one group at a time (Group A on Monday, Group B on Tuesday, etc.) to allow a little extra orientation time. Place user education ‘quick steps’ posters next to the door/turnstiles for a few weeks to help employees remember the basic steps and guidelines, e.g., ‘stand in front of the turnstile, swipe badge, wait for green light, proceed.’ Ask your manufacturer to provide these or artwork. While there are always going to be people who are resistant to change, by communicating clearly and openly with your population you can greatly facilitate adoption and satisfaction. Your responsiveness to any issues and complaints that arise during and after the implementation is equally fundamental to the ultimate success of the installation.