Just because it can be connected, that doesn’t mean it should be

Technology breakthroughs are great things; they present the opportunity for ideas, creativity and innovation. But there is always the risk of enthusiasm running away with itself.

That was certainly evident at this years’ Nordic Digital Business Summit, where IoT was at the top of the agenda. The connected world is big and beautiful, those who are smart enough can start creating money out of thin air. But one question which might gain sneers from the fanatics is whether connecting the entire world is sensible. Just because everything can be connected to the internet, doesn’t mean it should be.

This was one of the conclusions made when your correspondent got the chance to host a discussion with Aalto University’s Jarno Limnéll and Tieto Security Services’ Timo Ahomäki. We’re not prepared enough for the big, wide world of IoT.

“Open up the email, click the link and boom, you’re owned,” said Limnéll. “The problem with security is us, not the technology which is out there.”

“When you look at WannaCry, this was stuff we knew about a decade ago,” said Ahomäki. “We weren’t able to stop it because we weren’t looking for it.”

It’s a point which has been raised countless times over the last few years, but we are the biggest threat which an organization faces. We are lazy, forgetful and careless. Human error is often the downfall of a company’s security features.

This is not a new idea, but it will continue to be repeated for as long as it is still a problem. But the chorus of voices screaming for a more comprehensive and considered approach to security should only get louder considering the technological tsunami which about to sleep the globe. IoT will be everywhere, but is it the correct decision.

Another speaker at the conference used a phrase which we are all too familiar with; ‘everything that can be digitized, will be digitized’. It’s the idea of connecting everything to the internet, from your car in the driveway, to a buoy in the middle of the Atlantic and your coffee machine in the office. But if we are not yet capable of protecting ourselves in a pre-IoT world, why should we be ready to up the ante?

Ahomäki’s point about WannaCry is a fair one. This is not necessarily a new idea, it was a malicious campaign using technology which was known to the security community. But it still crippled hundreds of organizations around the world. We are not capable of doing the security basics, and yet we are about to expand the security perimeter of our organizations, creating thousands, if not millions, of gateways to a company’s network. Every device which is connected to your network is a potential locked door for a hacker to pick.

Which brings us back to the original point, just because something could be connected, doesn’t mean it should be. The point here is not to stop the IoT trends, that would not be sensible considering the potential opportunities, but to have a bit of maturity. It’s about understanding the risk and limiting the threats to your organization.

So do you think it is necessary to have a connected fish tank which feeds the fish for you, or a coffee machine which sends you a text when it is empty? The benefits of such ideas are not going to help a company avoid bankruptcy or create the next revolutionary product, but it does present opportunity for the nefarious characters of the world.

We not saying anyone should stop playing around with technology in the search of a great idea, but perhaps we should stop being so frivolous with it.

One comment

  1. Avatar Adrian Firth 11/10/2017 @ 6:17 pm

    As you say this is not new, though it remains timely.

    The ‘why?’ of IoT, of course, is one you addressed in another recent artcle ( We don’t yet know what will prove to be useful or otherwise and innovation often occurs through means and in those places least expected – we’re oddly, humanly naive like that – so perhaps it’s about trying things and seeing what sticks. Perhaps one day an Internet-connected kettle will save humankind; we’ll never have the chance to find out unless we build them.

    Your point about understanding risks we would do well to repeat ad infinitum, but subtly misses the point. Risk is not about limiting threats – it’s the flip-side of innovation and any endeavour that aspires to the lofty ideal of ‘being innovative’ brings with it the need to manage risk. How much risk is one willing to accept in return for the opportunity to innovate? Modern infosec practitioners all too readily assume that managing risk is about limiting threats. That’s an end goal, not the means by which we get there and, as a result, regrettably it turns into a default ‘no’ rather than default ‘yes but…’

    So, we need two things. First, managing risk implies the use of formal risk assessment methodologies in projects as a fundamental need (security by design). Second, risk and infosec professionals need to reassess their role in such endeavours – helping to balance the potential for innovation with the need to manage risk across the whole lifecycle.

    And third, corollary to the last, recognition is needed that ‘availability’ sits at the root of much of this work, because we don’t innovate as much as we think we do – ‘new stuff’ often relies on ‘old stuff’, like infrastructure, to function. When that infrastructure enters a sunset phase is when we start to see ‘solutions’ to problems that should never have existed start to get cobbled together. And when we do retire ‘stuff’ there’s the small matter of doing so in an environmentally sound manner. The interesting question is how people with these diverse skills – security, product design, environmental management, etc. – can come together to deliver effective solutions.

    How is this especially pertinent to the IoT? Well, by virtue of their ubiquity today’s IoT products and services will become tomorrow’s infrastructure and next century’s waste mountain.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.