A smart fridge or smart coffeepot on your premises could act as the perfect site for the initia attack, because unlike an Amazon Echo for example, the companies manufacturing such appliances often do not possess years of experience developing complex code with layers of privacy protection technology. These systems operate as appliances first, providing digital technology and security second. Such devices generally possess "minimal" security functionality and can be considered as potentially rogue technology. Today, there exists little legislation to enforce strong security on IoT products on the market …. But it’s coming!
In the UK, the ‘Product Security and Telecommunications Infrastructure (PSTI) Bill’ will mandate that device manufacturers guarantee that their products meet minimum security standards. The bill introduces duties on businesses to investigate and take action in circumstances of non-compliance. Similar legislation is imminent across Europe and indeed around the world. It is proceeding through the House of Lords currently and is expected to be brought into law in early 2023. The requirements are a subset of the ETSI EN 303645 standard. By attaining the IASME IoT Cyber certification, the manufacturer/reseller is certifying that it is compliant with the legislation.
If you are a user of IoT devices in your business, then be conscious of the security (or lack thereof) of the “things” on your business network. One way of gauging this is looking for a valid reputable certification of the product, aligned with legislation and with a worldwide standard in IoT product security.