Gunnar Assmy - Fotolia

FTC urges vendors to create Internet of Things security and privacy controls

An FTC report urges vendors to be proactive in creating Internet of Things security and privacy controls, while a Tripwire survey shows IoT devices are a growing corporate risk.

New research indicates that more remote workers connect Internet of Things (IoT) devices to corporate networks, while a new FTC report highlights the security and privacy concerns surrounding IoT and how vendors can mitigate risks.

Portland, Ore.-based security vendor Tripwire Inc. interviewed more than 700 IT professionals and senior decisionmakers in the U.S. and U.K., as well as over 600 consumers who work from home for its Enterprise of Things report, and found that IoT devices, like printers, smart TVs, wearables, and smart applicances, are already quite widespread.

According to Tripwire, the average employee who works from home has 11 Internet-connected devices, and 25% of remote workers have at least one IoT device connected to a corporate network. Organizations are resigned to this trend, with 67% of executives saying that business efficiencies will force the adoption of more IoT devices, despite the potential Internet of Things security risks.

Tripwire also found that CSOs are not confident in their ability to mitigate security risks stemming from IoT devices. Only 37% expect to receive additional funding to help deal with the new IoT risks; fewer than half of IT professionals polled are confident in the most common IoT devices using the most secure configuration; less than 20% are confident in the secure configuration of newer IoT devices; and approximately 33% of American execs don't believe Internet of Things security will ever catch up with technology innovation.

The FTC takes a hands-off approach to Internet of Things security

Meanwhile, the U.S. Federal Trade Commission (FTC) has recognized the growing footprint of IoT devices and the security and privacy risks associated with these new devices in a new 71-page report. In the report, the FTC includes many recommendations for IoT device vendors calling for better self-regulation of the industry.

The FTC focused the report mostly on issues surrounding the potential unauthorized access or misuse of personal data, and risks to personal safety based on that personal data, including habits and location. However, it did also note the increased risk of attacks on other systems initiated on an IoT device, and encouraged vendors to implement security best practices when designing devices, including monitoring connected devices throughout their life cycles, patching security holes and considering options to minimize data collection and storage.

The FTC did not offer suggestions for how organizations should plan security related to the Internet of Things, but noted that the risks listed above can be exacerbated in a number of ways.

"Companies entering the IoT market may not have experience in dealing with security issues … Although some IoT devices are highly sophisticated, many others may be inexpensive and essentially disposable," the FTC said in the report. "In those cases, if a vulnerability were discovered after manufacture, it may be difficult or impossible to update the software or apply a patch. And if an update is available, many consumers may never hear about it."

Ultimately, the FTC called for self-regulation of the industry, citing that the absence of legislation should help foster the freeflow of information essential to the Internet of Things, and the innovation taking place in the market. The FTC concluded that it isn't necessary to enact IoT-specific legislation at this time, but did reiterate the need for more general data security legislation.

"There was wide agreement among workshop participants about the importance of securing Internet-enabled devices, with some participants stating that many devices now available in the market are not reasonably secure, posing risks to the information that they collect and transmit and also to information on consumers' networks or even to others on the Internet. These problems highlight the need for substantive data security and breach notification legislation at the federal level."

Next Steps

Connectivity explosion: by 2017, 90% of Samsung products will be IoT devices.

Understand seven enterprise risks caused by the Internet of Things.

Dig Deeper on Internet of Things (IoT) Privacy and Data Governance