How to manage the risks of the internet of things


3rd July 2017

We live in an increasingly interconnected world — personally and in business; the ability for us to keep in touch with our lives from wherever we are has led to a fundamental paradigm shift in the work-life balance. Isn’t it wonderful to use our smartphones to check what is happening in the workplace or the factory; to adjust the heating, to turn the lights (or anything else) on or off; we can even have devices which open the doors in the morning and lock them at night.

Gone are the days of the Encyclopaedia Britannica salesman; everything we need to know (and much, much more) is now available at the click of a keyboard or increasingly the simple request to some inanimate object.

Leaving aside the use of “smart” devices in our homes, business needs to consider whether it is sound business practice to utilise “internet of things” (IoT) devices in their businesses. Having smart (i.e. internet-connected) light bulbs, heating systems, centrifuges or whatever may provide a short-term benefit, but at the present time, IoT devices are not designed with privacy built in, and, indeed, the level of sophistication in these devices is such that security in these little computers (as that is truly what these are) is limited or non-existent. While businesses will, or should, be conscious of network security for their PCs and servers, few have to date given the same degree to attention to the smart devices.

Even outwith the apparent issue of “smart” light bulbs etc, a perhaps greater threat to business secrets arises in relation to the latest generation of smart listening devices. While few businesses will use Amazon Echo, the Google Home or similar in their research labs, many businesses may have a smart TV in reception; modern smartphones have the ability to have us shout “Hey Siri/Cortana/Google” and have the device answer our queries. However, this requires a number of issues that may affect the trade secrets of a business. First, the device must be listening all the time — if nothing else, waiting for the trigger word where this is needed; second, the query is not answered in situ, but rather is sent by the device through the internet to some knowledge repository, whether Google or Bing or Samsung, for processing.

While it is unlikely that anyone would ask a query of an inanimate device which would reveal the jewels of a trade secret, every little piece of information gleaned from a smart device is of value. These devices can also be used as a means of access to the corporate network, and attack bots (including the Mirai botnet) already exist, which target smart devices expressly and have been used to mount major attacks on other networks.

Proposals are now starting to appear to address the security issues of IoT devices, but it is likely to be some considerable time (if ever) before these devices will be secure; just think of how many patches and updates we get for our PCs — IoT devices don’t have the capability of performing the same complex anti-malware/virus checks, even if we could work out a way of updating them. Most have static embedded passwords and it might be a little unrealistic to expect consumers or businesses to log in to each of their lightbulbs every “Patch Tuesday”.

From a mitigation perspective, businesses need to be thinking about the risks; perhaps restricting smartphone use in particular areas; not using the “clever” devices; if you are using IoT devices (do you really need the colour-changing bulbs in reception?) or some other IoT device, they should be on a separate network separated from any other corporate resources. That way the risk can be limited, but not eliminated.

Read more of from MacRoberts online

Morton Fraser MacRoberts LLP

MacRoberts LLP, one of the largest independently owned law firms in Scotland, was founded over 150 years ago by the MacRobert family. We are a leading Scottish commercial law firm with full-service offices in Dundee, Edinburgh and Glasgow with a client base that reaches across Scotland and beyond.

Back to news