Senior academics have been reacting to the government’s announcement of cash help to businesses for cyber security.
Organisations can now apply for funding to support research to ensure systems are properly protected against hackers.
The successful bidder will be awarded up to £200,000 to test popular devices and help identify if current Internet of Things (IoT)security measures and guidance, such as international standards and NCSC device security principles, are robust enough to protect businesses from evolving threats.
The grant is part of the government’s £2.6 billion National Cyber Strategy to protect the UK from cyber threats and grow the digital economy.
Steven Furnell, IEEE Senior Member and Professor of Cyber Security at the University of Nottingham said: “IoT devices have the potential to collect and access a large amount of personal information about users and sensitive data relating to their environment.
“Devices are often linked to the accounts that consumers use on other devices.
“The difference is that on these other devices they are more readily protected against unauthorised use. On the smart device people may set them up initially and forget that they are essentially ‘logged in’ all the time.
“Added to this, people are often less mindful of the security risks posed by IoT devices, as they do not necessarily think the devices as storing and communicating data in the same way as traditional computing devices.”
He added: “Most IoT devices are not doing any ongoing checks on who is using them, they are set up and can then be controlled equally by anyone, albeit maybe with a password or PIN required to get into the ‘Settings’ menu. However, introducing a check each time someone wants to do something would not be possible if we rely on traditional methods.
“Biometrics open the door to making the checks in a friendly and tolerable manner, with the potential for seamless transitioning between users of shared devices.”
Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University said: “Organisations need to ensure they deploy IoT devices with sufficient security policies in place, such as firewalls and intrusion detection and prevention systems, but they also need to ensure they cater for the confidentiality of their customers data.
“This is where encryption plays a core role. Of course, all devices need strong passwords, but it is also good practice to enforce certificate-based authentication which identifies communicating individuals and authorised devices.
“Many of the steps in securing IoT activities are similar to security within the larger enterprise system.”
He added: “However, organisations need to be aware that privacy issues can arise due to their IoT data collection mechanisms which may lead to user profiling and identification of individuals in unforeseen use case scenarios.
“The greatest care needs to be taken when deploying data collection devices with regards their lifecycle, data collection mechanisms and overall security protocols.
“While devices may have some protections built-in, products with poor cyber security can leave companies using them at risk, particularly as more and more data is being collected. Adopting a multi-layered security strategy is often best practice.”
A government statement said: “Thousands of UK businesses rely on these products, known as enterprise Internet of Things (IoT) devices, to increase productivity and enable hybrid working.
“The government is funding new research to uncover vulnerabilities in these commonly used enterprise IoT products and assess the cyber resilience of these devices.
“Smart devices in the workplace can collect sensitive data which can be accessed by other users, making them an attractive target for cyber criminals to exploit.
“While devices may have some protections built-in, products with poor cyber security can leave companies using them at risk.”