Who is responsible for cybersecurity in the home?

How many home computer networks are affected by at least one cybersecurity threat every month? According to research from CUJO AI Labs, it’s 67%. The safety of these networks is essential to the health and resilience of the internet, but who should be doing the heavy lifting to protect them?

Home networks are becoming more difficult to protect every year as consumers use more connected devices, many of which are unable to run cybersecurity software.

Since every device has a different attack surface and vulnerabilities, the growing diversity of consumer devices is changing the security landscape. While the Internet of Things (IoT) devices are most often targeted by automated attacks from malicious IP addresses, devices used for browsing and apps are more often affected by disreputable websites.

IP reputation threats are connections to and from IP addresses that have a low reputation. These are the most common threats to unattended devices, such as IoT devices, which are mostly automated and do not require user interaction.

Web reputation threats encompass various malicious URLs that can be accessed by users, their email clients or other software. These types of threats are the most prevalent for attended devices, such as smartphones, laptops and desktop computers, which are actively used by their owners.

As a whole, threats to home networks range from targetted social engineering (phishing), malware, botnets and denial-of-service (DoS) attacks to automated attacks that scan networks for valuable, vulnerable devices and hit their weak points.

Protecting the entire network from this variety of threats requires an extensive combination of security measures. First and foremost, devices that can run anti-malware software should definitely do so but no IoT devices are powerful enough to run this type of software (owing to the vendors’ economic incentives, essentially). Our data shows that such gadgets currently make up more than 33% of all connected devices.

New and more diverse threats, especially short-lived phishing websites, can be stopped with artificial intelligence (AI) solutions; while single-purpose devices have more predictable behaviours and can be protected with rules-based mechanisms and firewalls. Of course, device owners also have a responsibility to keep up with basic network security measures, such as not exposing devices to the internet needlessly.

A properly secured home network should have all these security measures in place, which can be a real challenge for non-technical people.

While in a good position to secure their networks, most consumers lack the technical know-how to protect every device or set up network-wide security solutions. A survey from late 2021 suggests that 48% of people in the US, as well as 57% in Italy, 60% in Germany, and more than 67% in France found protecting their home network challenging.

Furthermore, 21-36% of people in those countries were unaware they needed to do something to protect their home networks.

This is the critical problem of offloading security onto consumers – they simply do not have the competence required to deploy, run, and maintain what amounts to an IT security department for their home network. This is evident when we look at how many attacks target vulnerable devices: network-attached storage, DVR devices and IP cameras are affected by orders of magnitude more threats, as consumers struggle to secure them properly.

Some devices sabotage the security of their owners’ networks. For example, some brands of DVR devices and IP cameras change network settings to simplify their setup and function properly, but this can often expose them to malicious actors. Others are released with long outdated and unsupported versions of operating systems without any means of updating them. In these cases, the manufacturers are clearly responsible and the regulatory environments in the EU, UK, and US are changing to reflect that.

Recent moves by major companies towards unified IoT device standards may also result in safer devices. Nevertheless, manufacturers cannot in reality set out to protect the entire home network; their responsibility lies in properly securing their devices.

Internet service providers (ISPs) are in a good spot to improve home network security at scale. For many, they are the caretakers of the networks and are in the perfect position to shield both home and mobile users from major threat vectors.

ISPs also have the trust and relationship with their users to offer cybersecurity as a core element of their services. When asked who is responsible for preventing cybercrime and cyberattacks, consumers in the US, Germany, Italy and France said that network and internet service providers were the most responsible.

Nevertheless, internet service providers have limited abilities to do anything without the help of highly specialized, multi-layered technologies, as threat vectors evolve and target different attack surfaces. These solutions can prevent a lot of cybersecurity threats, including novel phishing attacks, which affect 56% of households every month, as well as stop billions of threats across their vast networks.

At the moment, network service providers see security as an added service, something the consumers should want. This approach still puts the responsibility on the consumer, when many people remain unaware they need to do anything to improve their home network security, especially for the growing number of screenless, unattended IoT devices that have an increased footprint in consumer homes.

Network service providers have an opportunity to embrace cybersecurity and start seeing it as a core part of their business and services. Unlike device manufacturers who have limited access to consumer networks and consumers themselves, service providers have the technical capabilities, the gatekeeper position and customer trust to be the caretakers of their networks. The major shift in the thinking that does need to happen is seeing cybersecurity not as an additional service, but as an essential part of the connected experience.

IoT vendors can take the security of their devices a long way and while the technical aspects of securing the entire home network lie with the ISP, homeowners still need to use their networks responsibly.