Andrew Lee on Internet of Things and cybersecurity

As CEO for ESET North America, Andrew Lee brings the role a unique blend of corporate and security expertise. Having served as Chief Research Officer at ESET from 2004 to 2008, Mr. Lee was responsible for helping to build ESET’s reputation as a world-class research organization. He is a founding member of several respected cyber security organizations, serves on the board of NCSA (The National Cyber Security Alliance) and is co-chair of the San Diego Cyber Center of Excellence (CCOE), which works to accelerate the regional cyber economy. A frequent speaker at industry conferences, Mr. Lee is also a widely-published author of articles on antivirus and security, and also co-authored the “AVIEN Malware Defense Guide” with current ESET researcher David Harley. Mr. Lee holds an MSc degree in Computer Security from the University of Liverpool.

LIFARS: Tell us some background on you and how you got where you are today.

Andrew: I actually started out studying electronics engineering while working in an electronics factory and got interested in computers as in my job I did quite a bit of programming. Later I was working in local government and got involved in computer security, particularly in anti-malware. From there I ended up writing a few papers on the topic, and met some of the ESET people at various conferences. We developed a friendship and I was eventually asked to join the team in the USA. I worked as the Chief Research Officer for a few years, then joined an Indian antivirus company as their CTO. Then I got a call to come back to ESET and so here I am!

LIFARS: What is the industry biggest concern on Internet of Things(IoT) security?

Andrew: I think that the proliferation of low cost devices that have little available power for security features, coupled with few incentives (again cost and power) to update or patch these devices means that we very often find that security, if it exists at all, is an afterthought. Given that these devices are rarely updated (except with brand new hardware) there will be a lot of obsolete devices still pumping out personal data for years after their useful lives. One of my biggest concerns is that most of the data is held by 3rd party vendors, and there’s little control over how and where they store your data. Recently there was a case where a hobbyist drone manufacturer was sending all of the information about the registered user and flight information back to a server in China. Knowing where the parts of your ‘digital body’ are and how they are used is critical to protecting your privacy.

LIFARS:  What are the types of IoT and what devices are more in risk than others?

Andrew: Medical devices are a particular area of concern, these devices not only handle sensitive data, but their function can be critical to wellbeing and even life. For instance, consider an insulin pump or a wirelessly configured pacemaker. In the past both of those types of devices have been shown to have serious flaws that have allowed a remote, unauthorized attacker to affect their function. We should also be thinking about any device that holds financial data or has ordering capability – an example might be a smart refrigerator that knows when to order more food.

LIFARS: How do you think we can protect and manage our data that is moving to new technology like IoT?

Andrew: A key consideration is to ensure you know what is connected to your network, and what data it touches. Putting IoT devices onto your ‘guest’ network is a good idea, so that if they do get compromised the attacker can’t easily bridge into your private home network. If you’re using and allowing IoT devices on your corporate network (and there may be good reasons for this – e.g. tracking stock), then it’s even more important to ensure you understand the security implications. If possible, patch devices when the manufacturer releases updates and disconnect and wipe devices that are no longer used.