Australia’s first Internet-of-Things security awareness guidelines have been unveiled, with advice and support for device manufacturers and users.
The Internet of Things Alliance Australia (IoTAA), with financial support from Accenture, launched the guidelines with an aim to provide support for Internet-of-Things (IoT) users and providers focusing on security, safety and privacy.
IoTAA CEO Frank Zeichner said that SecurityToday researchers found that there are 127 new IoT devices being connected to the internet every second, with approximately 31 billion device installations last year.
“The figures were staggering to begin with, and we have seen first-hand how the pandemic has expedited the adoption of IoT devices, by consumers and industry alike,” said Zeichner.
The combined market size of IoT is estimated to be $520 billion, with 26.6 billion active IoT devices by August 2019.
Despite this, up to 98 per cent of the traffic on these devices is unencrypted.
This leads to significant security and privacy risks associated with the use of IoT devices.
The new guidelines offer “straightforward, plain language, functional and practical guidance” to address this issue and improve safety, for both manufacturers and users of IoT devices.
“For most of us, the internet has opened up new opportunities. We can shop, bank, research, work and connect when and where we want,” IoTAA chair Matt Tett said.
“Unfortunately, the online world also gives criminals opportunities to steal money, information or identities; we need to ensure our online environments and devices protect our safety and privacy. This is achieved by embedding security into IoT products and services.”
The guidelines for developers, manufacturers, suppliers, vendors and distributors outline how these companies can ensure IoT products “inherently deliver good practice security, safety and privacy to clients”.
“IoT security needs to be incorporated by design, not added to products afterwards, to provide a secure platform for the delivery of safety,” the guidelines said.
They outline how these organisations must know the ecosystem their devices are intended for, map this network out and ensure the devices can be easily updated with any necessary software patches.
They should also investigate sectoral risks, compliance and various regulatory requirements.
Vendors should also look to undergo the independent IoT Security Trust Mark Certification process, ensure the devices have no default universal passwords, and that there is a vulnerability disclosure program in place.
These businesses need to also ensure their own security is up to scratch.
“IoT providers must lead by example, implementing good security practice in their products and services, but also in their own business, led from the top of the organisation down,” the guidelines state.
“Ensuring good practices are in place assists the enterprise to identify risks and employ mitigation strategies, minimising loss and reputational damage should a breach occur.”
The user’s guide aims to keep people safe while using IoT devices and are targeted at businesses and individuals.
They recommend the use of strong passwords, to never reuse the same passwords, to seek providers with good security and to change default device passwords.
IoT devices should also look for security certifications on products, use encryption, beware of phishing attacks and install anti-malware technology, the guidelines said.
IoT users should also actively educate others on the risks posed by these devices and what can be done to mitigate them, they said.
“Cybersecurity, safety and privacy is not just a personal priority – help protect the people close to you, spread the world,” the guidelines said.
“Educate family members, work colleagues and friends. Enable them to identify and avoid visiting suspicious websites, emails and texts.
“This helps you to protect each other, your business, your connected systems, online accounts, devices and information from malicious software and actors.”