“Ordinary” Cybersecurity Threats in a Brave New IoT World: Practical Guidance to Manage Risk
My garage door opener recently quit working. No problem, I figured – with a quick trip to my local home improvement store, I’d have a brand-new unit and an installation date within the week. Nothing fancy on my shopping list – just a well-rated opener with a couple of remotes.
What I didn’t realize is that the “Internet of Things” – or IoT – trend had swept up even the most prosaic of garage door openers. In fact, to get one that wasn’t connected to the internet required a special order. Everything off the shelf presumed the consumer wanted to control the device over the internet through their smartphone – with all the security and hacking risks attendant thereto.
Like most homeowners, my garage door happens to be the single largest entrance into my home – the security of which is obviously important. But other recent IoT stories give at least as much pause. Consider the report of a Tesla Model S that was successfully hacked from 12 miles away – seats moving at random, trunk opened, brakes actuated. Or the continuing story of more than half a million pacemakers that require a firmware update to avoid hacking that could disable the devices entirely.
Such a parade of horribles is certainly catchy, but by focusing on the more “ordinary” computer systems that fill our work and home lives, we can really move the needle on cybersecurity. I asked my friend and colleague Tom Matzen – Founder and CEO of the Matzen Consulting Group in Austin and a cybersecurity and data privacy expert – to weigh in with some quick, practical guidance on ways end users can manage the risks presented by the systems more directly under our control.
- “Stay current with software patches and updates,” Tom said. “Whether it be your phone, computer, or other IoT device, follow the security update prompts and make sure update alerts are enabled. While it is true that hardware can be vulnerable to attack, you can usually avoid the likelihood of being a victim by staying up to date with software patches and updates.”
- Importantly, “do not assume that the company selling you a product has your security in mind. You need to be your own advocate and understand what you are buying.” As discussed with Tom, “Chris’ garage door example is a great illustration of this point. Only by reading the materials will you fully understand your risk, so educate yourself on what data is being collected, how it is being transmitted, and where it is ending up. You should also assume that your data is being shared with and/or sold to other companies as an additional revenue stream.”
- Finally, “change the default passwords for your IoT devices – and especially for your wifi router. While companies have made great progress making their devices user friendly, you should not use default passwords when setting up your devices, as those passwords can be found rather easily online for many popular IoT systems.”
So, while you might not be able to do much (at least for now) about the systems implicated as you open your garage door to drive your electric car to your next cardiologist appointment, don’t overlook the things that can be done with the less embedded systems you interact with. Small steps – like those identified above – can make a big difference.
Chris Schultz serves as Executive Vice President and General Counsel of Level 2 Legal Solutions. In addition to serving as the chief legal officer, Chris helps coordinate all aspects of the company’s managed review and corporate compliance projects. He also leads engagement teams assisting clients with a full range of electronic discovery and litigation readiness projects. In addition, Chris is available to provide clients with expert testimony and special discovery master services. A dynamic speaker with more than five years of college-level teaching experience, Chris is a frequent presenter of continuing legal education and other seminars concerning eDiscovery.