Why we need to forget about IT security paradigms

Ransomware and large-scale hacks are making the headlines with worrying frequency in recent months. I predict that’s only going to increase. Why? Because organizations all over the world are applying IT security paradigms to an IoT world with completely different risks.

How we understood “security”

I started my IT career more than 20 years ago in telcos. Back then, IT infrastructure was built on-premise with very little thought given to security. In fact, going a little further back, the idea of people using telco networks to connect computers across disparate physical sites was unthinkable. But then it quickly became the norm, and the primary way to manage IT security was to appoint an administrator – this person would manage access to networks, grant certain privileges, set IT audit controls and generally oversee the maintenance of the network.

The procedures established by admins became national and then international standards that everyone followed. And somehow the admin security paradigm continued for years.

The reverse paradigm

Then more and more computers became connected, and mobile devices too. With millions of endpoints software patch updates become very tricky, so central management of security gave way to the “reverse paradigm” – in which it’s the user’s responsibility to manage updates. The problem with this of course is that most end users are not overly concerned with the security of their software and apps, let alone their IT hardware – when was the last time you updated your home wifi router? Answer: probably never.

This is why we now have a slew of successful malware attacks.

What happens when humans are taken out of the equation?

Human vulnerability and error are the main reason why ransomware attacks are so successful – for example, not having the latest operating system patches installed, or clicking on phishing links.

The problem is that we are translating the old-school IT security rule to IoT – by thinking about IT security in the same way as when we had ten computers connected and under physical access control, we are simply asking for disaster.

But the IoT is really scary: communication between machines, without human involvement, and millions of interactions happening every minute means that in no time at all something malign can spread across the globe.

Some people are thinking about AI and blockchain as a cure for everything risky in IoT. I’ll agree that AI is indeed key for IoT data analysis, simulating the behavior of humans but million times faster. But the threat is that AI can learn very quickly, make bad decisions and repeat them millions of times over in seconds. This could be the biggest threat we face.

As for blockchain, even if the majority of users agree on best practice the deliberate lack of overall governance poses the threat of partiality or manipulation – so the very concept of blockchain is not secure.

Rethinking security

For the time being at least, humans most definitely still have a role in the IoT security paradigm. But we need fundamentally to rethink our entire approach.

Here’s why. In the recent “Mirai” attack that seized control of webcams, the vulnerability exploited by the hackers was that all of the devices had the same default password. No one had bothered to read the manual and take responsibility for securing the devices.

At the supplier end, manufacturers of tiny sensors will not bother applying a $10 security patch for a product that retails for 99 cents. Instead they put a security disclaimer on it, putting the onus on the user to keep it secure and updated. The reverse paradigm again.

In banking, software is tested line by line for years. It’s rightly seen as a very important procedure. But in IoT, the market for smaller, cheaper devices is accelerating and small boutiques are offering protocols and apps in a rush to capitalize on it – MVPs are launched without being tested.

As more and more of these cheap, connected devices are installed everywhere from food factories to airports, we are creating huge unprotected environments based on untested technology.

Counting the cost

The economic/risk management mantra that states the protection cost should be less than the value of the asset will not serve us now or in the future.

Instead, we must calculate the risk of an attack on individual IoT devices by estimating the cost to the whole ecosystem – including people and knowledge – and then work out how to keep it running, even without an admin, and with the number of devices counted in billions.

You can be quite sure that hackers are thinking along these lines already, holding entire ecosystems to ransom simply by hijacking connected devices.

As IoT devices connect more and more of the world’s critical infrastructure, the cost will soon be counted in human lives, not bitcoins. Maybe that will serve as the wake-up call to rethink security in the IoT era.