Take a baby or toddler which of course is where the phrase comes from, it first crawls, walks, climbs, runs and finally cycles. Security should be the same, first you should secure your home, office, data centre and then move onto the network, endpoints, websites, email servers etc.
Many companies have not done much of the above. Take various City of London offices, LCD screens with users on are sitting next to windows. Good front office access control maybe but you can look over someone’s shoulder from outside.
Then you need to secure the network with the use of hardware firewalls and IPS (intrusion detection prevention). Mail servers and webservers are next since they face the world wide web and further down the line is endpoints.
Makes sense? Likely to some. The problem is companies are struggling to secure their normal network because they do not understand the risks or care. Plus, there is a shortage of products which actually work and a global shortage of skilled staff.
Move onto IoT (internet of things), if anyone including home users is struggling to secure their conventional kit why move onto IoT which can add a physical element into the equation? Webcams, CCTV, heating/electricity control companies do not put much effort into security.
Home users and some businesses simply follow a “craze” and run out there and buy everything their friends or colleagues have. Wealthy home owners get everything plugged in and it goes through the generalist home router/modem.
Do people really need to turn off their iron or open the curtains from outside the door? Not really but it sounds cool. Actually securing these devices with hardware and labour would likely cost more than the IoT devices itself.
“When fridges attack” is a good example. The fridges in question were/are made by well-known manufactures not a cheapy firm no one has heard of. Two years ago there was a story about a hijacked baby monitor. Now the physical and cyber worlds collide.
The next time you go out to buy something for your home, think is it secure, can you secure it and do you need it. I have barely seen a company which has a web page dedicated to the security, testing and certification of the hardware they are selling.