A tech industry working group convened and drafted an IoT security and privacy framework for locking down home automation, and consumer health and fitness wearable devices with standard security best practices:

The framework calls for IoT makers to have the ability to fix bugs quickly and reliably via remote updates or other notifications to consumers — or even device replacement, if needed. And that item comes with this caveat: “It is recognized that some embedded devices’ current design may not have this capability and it is recommended such update/upgradability capabilities be clarified to the consumer in advance of purchase.”

Time is another factor with IoT devices. Networked thermostats, garage-door openers, and other in-home devices change hands when the house does, but the former residents could still have access. And what happens after a warranty expires on smart device and there’s a breach, Spiezle says.

“We talk about not just security, privacy, and disclosure of the data that’s collected, but also the lifecycle issues. How do they support [these devices] over time and beyond the warranty,” he says.

The working group plans to finalize a formal IoT framework — which includes some 22 minimum requirements plus a dozen optional additional measures — and program around mid-November, after gathering input from Congress, the White House, Federal Trade Commission, and other entities.

Interestingly, Intel, a company championing IoT, was absent from this working group.

Disclosure: I work for Intel Security.

Katie Kuehner-Hebert writing for CFO about how cyber crime costs are expected to soar to $2T by 2019:

Most breaches will target existing information technology and network infrastructure, the U.K. research and analytics firm said. While attacks on mobile devices and the Internet of Things are being reported at an increasing rate, the number of infected devices is minimal compared to more traditional computing devices.

“Currently, we aren’t seeing much dangerous mobile or IoT malware because it’s not profitable,” the report’s author James Moar said in a news release. “The kind of threats we will see on these devices will be either ransomware, with consumers’ devices locked down until they pay the hackers to use their devices, or as part of botnets, where processing power is harnessed as part of a more lucrative hack.”

“With the absence of a direct payout from IoT hacks, there is little motive for criminals to develop the required tools,” he added.

There currently is not a strong financial motive for criminals to attack the Internet of Things – aka IoT – but that does not mean one will exist in the future. We, as an industry, need to get out in front of this quickly before that motivation is found.