Gadget-hungry consumers creating IoT security holes they can't fix

Despite large vendors' market positioning around Internet of Things (IoT) security threats, tech-deficient consumers are spooked by IoT threats and are overwhelmingly looking to their antivirus software providers to help them secure their devices, according to a new consumer survey.

The online IoT Survey, by security vendor Bullguard, received 672 responses from US and UK consumers. Some 47 percent of US consumers have more than 3 IoT devices and 15 percent have more than 5 devices, the research found, with 31 percent of US consumers and 42 percent of UK consumers owning at least one connected IoT device (not including phones or tablets).

“The connected house is starting to look like a low-end SMB,” Bullguard CEO Paul Lipman told CSO Australia. “Every device is getting some form of Internet connectivity and some form of cloud service as an adjunct. But for device manufacturers, security is really an afterthought: these guys are optimising for cost and bill of materials in manufacturing; security is very far down the priority list.”

Manufacturers' different focus manifests as increased concern about security by consumers, with 66 percent of UK respondents and 58 percent of US respondents saying they were highly concerned that their IoT devices could be hacked or their data stolen.

Some 54 percent of US consumers said they were turning to their antivirus vendors to protect them from IoT security issues, whereas device manufacturers were only named by 23 percent and ISPs, 16 percent.

British users expected far more from their ISPs, with 24 percent turning to their ISPs for IoT protection and 44 percent looking to antivirus vendors.

The results reinforced an evolving industry dilemma for Lipman, who pointed out that formal, broadly usable IoT security standards were still years away despite “a lot of good work being done” to progress them.

In the meantime, he said, consumers' strong expectations from antivirus vendors suggested that it is “incumbent upon” antivirus vendors to build solutions “that address how the way we use technologies is changing.”

“As the nature of the home network changes, we are going to see the emergence of network-centric solutions to keep the home secure,” he added. “But the challenge there is that the network is tremendously more complex than a single endpoint device.”

This year's International CES conference saw IoT devices of all types hitting the market, contributing to a proliferation of devices that create opportunities for business marketing operations but wearables and other IoT technologies create new challenges for CIOs in business environments where changing technology is both exciting and intimidating.

Slightly over one-third of consumers in both countries said they had already experienced a security or privacy issue with a connected device – but 61 percent of US consumers and 72 percent of UK consumers said they had no idea how to secure their devices to prevent such compromises. Fully 35 percent of US and 48 percent of UK consumers said they didn't even know how to change their router's password.

This could pose increasing security risks as hackers turn their attention to IoT devices, with the Spike malware toolkit seeking out devices to launch massive DDoS attacks that utilise nearly any connected device to launch attacks against designated targets.

As malware writers get more clever about their exploitation of IoT, consumers will need to be given more-secure devices and user-friendly tools to ensure that their equipment is not susceptible to security issues. This is a big challenge in its own right, Lipman said, but one that the industry cannot ignore without risking losing all control over the evolving IoT.

“The key to make this all successful for consumers is to make it simple,” he explained. “You can deliver a very complex and configurable solution for the top 1% of users that know and care about the technicalities of how to protect the network.”

“But for mainstream consumers, the intelligence and security has to be built in. If we can't make it absolutely straightforward and simple for consumers, we will have failed out of the gate.”

High Consequence Cyber Crime: The Crime of the Century

Organised criminals : Harness the power of analytics to detect breaches early and minimize their exposure.

Download NOW

Take this 5 minute survey on The State of Cloud Storage & Collaboration 2016 and go in the draw to win a $500 Visa credit card.Start Survey NOW

Join the CSO newsletter!

Error: Please check your email address.

Tags DDoS attacksgadgetIoT securityCES conferenceCSO Australia

More about CSOLipmanVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts