Safety vs. innovation?
The smartphone app can be used to open and close the lid, flush, activate the bidet or switch on the fragrance spray by remote control.
Security was clearly not the decisive design criterion; the non-changeable Bluetooth PIN ("0000") can also be seen as a direct invitation to hackers.
Even if the potential financial damage is admittedly limited - even if someone operates the flush around the clock - and there is certainly no acute risk to human life here.
From the quiet room 2.0 to the car of the future...
But the fun stops when it comes to medical devices such as insulin pumps. There are many such examples - even in areas where attackers could cause considerable damage.
Just think of the automotive industry, where IT is becoming increasingly important. The focus is on innovation and entering the market as quickly as possible.
Security experts are often not part of the product teams responsible for such new solutions. As a result, not much attention is paid to security at the outset. Unfortunately, such decisions can also have significant negative consequences.
This is the case, for example, when new products arouse the interest of hackers - and when these hackers then come up against non-existent or very easy to overcome security hurdles.
...safety threatens to fall by the wayside
Such a tendency can also be observed in IT projects when innovations are introduced: The focus is on performance improvement, cost savings or process optimization - but there is less talk about what needs to be done and adapted in terms of security.
During the proof of concept, the main focus is then on whether the expectations of the innovation are met. Once the POC phase has been successfully completed and it is time to plan the introduction of the production servers, it is discovered that the company guidelines are not yet fully met because the innovation is still too new and the missing security features still need to be added in future releases.
Or, as described in some installation instructions, security components should not even be used on the new innovation due to performance losses.
In the field of tension between IT and business
And now? Wait or implement? This subsequently creates an area of tension between IT security, which rightly insists that internal guidelines must be adhered to because compromises in this area usually lead to damage very quickly, and the business department, which wants to introduce innovations as quickly as possible.
From a security perspective, the more business-critical the new innovation is, the more interesting it is for the attacker. Compromising on security here can have fatal consequences.
Incidentally, unlike toilet 2.0, which really exists in Japan, the "revolutionary payment app" mentioned above is part of an online game. Here, a company - fictitious, of course - is about to launch an app on the market, the advertising measures have started successfully, but security gaps or targeted attacks could jeopardize the project.
As CIO, the players have to make numerous decisions and solve problems during the final preparations for the planned market launch.
Try it out - at http://targetedattacks.trendmicro.com/ger the game "Targeted Attack - The Game" can be started free of charge. You do not have to disclose any personal information to start it.
DE
EN
ES
