The number of internet connected devices and products is rapidly increasing and in turn creating more opportunity for cyber security breaches and generating greater amounts of data including personal information. Consumer fear is also heightened around this issue - the recent Australian Community Attitudes to Privacy Survey 2017 revealed that 83% of Australians perceive the online environment to be more risky and only 10% of Australians are comfortable with their personal data being shared.
Cyber criminals and hackers have targeted some 'internet of things' products, perhaps because of the perception (which in some instances has been reality) that manufacturers of traditionally 'unconnected' devices (eg, kettles, toys, dog bowls, vacuum cleaners) have been less attuned to the security challenges associated with internet connected devices. There also appears to be a public perception in some instances that the data collected by many IoT devices is less 'valuable' to criminals than, for example, financial information collected and held by banks, retailers and others, and therefore is a less likely target of attacks.
But that sort of thinking overlooks other potential risks associated with the way in which IoT devices may operate and the different ways such devices could be compromised or exploited by criminals or hackers. For example, concerns were raised with two internet connected toys - the 'My Friend Cayla' doll and 'i-Que Intelligent Robot' - which engaged in conversations with children. These toys recorded conversations and could be hacked, allowing hackers to listen back to the recorded conversations and control what the toy said in response to questions. The privacy concerns with the dolls resulted in the 'My Friend Cayla' doll being banned in Germany.
On a larger scale, IoT devices can be attacked by malware to compromise networks and turn devices into botnets (ie, groups of devices that are centrally controlled). Cyber criminals successfully used the Mirai malware in October 2016 to hack IoT devices and flood websites with traffic to launch a distributed denial of service attack against popular domain name service provider Dyn which resulted in the outage of websites such as Twitter, the Guardian and CNN. IoT is only just beginning, and the security risks that come with it will become more complex as it grows. The proliferation of IoT devices - expected to be more than 20 billion internet connected devices by 2020 - means that there potentially is a very, very large number of devices that could become botnets used to disrupt other websites.
Taking all these factors into account, information security should be a key focus for organisations involved in any part of the IoT ecosystem - whether it be manufacture, implementation and integration or retail. Steps that organisations can take to mitigate the risks of data breaches or incidents, and the impact arising from such a data breach or incident, include the following:
- Adopting a 'security by design' approach when designing, developing and implementing IoT devices
- Maintaining and regularly updating appropriate IT security policies and procedures, personnel policies, and device level policies
- The development and implementation of effective compliance training and personnel education processes to foster an environment in which the crucial importance of effective data management and security is understood
- Designing and implementing an internal feedback loop to monitor and identify possible and actual security risks and issues, and ensuring that the impact of major changes is addressed in relevant policies and processes
- Management and governance policies and processes implemented in relation to external vendors including gateway reviews to monitor compliance with mandatory security requirements and other contractual obligations
- Developing and implementing an incident response plan for specific data breach or security issues, and a process for periodic review and updating of the plan. Such incident response procedures must be regularly tested, and changed where necessary. A post incident review should also be performed and documented following any significant security incidents
Data breaches and incidents arising in connection with IoT devices may also be subject to the data breach notification regime which is due to commence in February 2018. This regime will require entities to report serious data breaches to customers, the Privacy Commissioner and potentially to the media, with significant penalties of up to AUD1.8 million for non-compliance.