The “Internet of Things” is great — we’ll soon be able to build apps for our cars, thermostats, refrigerators, and more. But what happens when attackers get into your company’s system through an ice maker instead of the phishing email we’re all so used to?

“Every digital thing ever made has flaws, and there are two ways to deal with that: You hide them and bury them … or you deal with the outside risks and you respond really quickly,” said Lookout Mobile chief technology officer Kevin Mahaffey in an interview with VentureBeat.

“The Internet of Things,” or all the physical devices that you can connect to the Internet, opens up new doors for attackers trying to get into your company’s systems. Mahaffey set out to attack all the devices he could find in his office and home and see just how weak some of them really are. This included his thermostat, Blu-ray player, Apple TV, printer, VoIP phone, projector, white board, and other devices that all connect to the Internet (and likely your company’s network).

“These are the things that hackers lust after,” said Mahaffey during a presentation at the RSA conference in San Francisco. “A lot of these devices have a pretty big attack surface.”

Lucky for us, a lot of these — in particular the thermostats — encrypt their data flows and are difficult to be hacked by traditional means.

The Nest thermostat passed the test, using a secure form of encryption and properly signing their own certificates. Apple TV also passed the test. Things like printers, VoIP phones, a certain kind of smart thermostat called EcoBee, and even a coffee maker did not, however.

But what’s so concerning? Oh, no, someone turned my air conditioning on, boo-hoo. Well, what if all the thermostats in a city suddenly turned their air conditioning on high? Mahaffey explained it could be a means to blow out the power grid. Printers have access to your sensitive documents and directly connect to your networks.

And what about things like fire alarms and HVAC systems that aren’t currently connected to the Internet — but could be someday soon? Maybe the new form of DDoSing a website is to trip the fire sprinklers to rain on a data center.

Mahaffey told VentureBeat he’s most concerned about severe attacks from fire systems and card readers. We’ve already seen big-name organizations such as RSA and the Department of Defense fall to attacks on card readers.

“Who cares about the security guy if you can badge your way in?” said Mahaffey.

He suggests that companies start planning for The Internet of Things now by using modern cryptography to protect all the traffic running in and out of all of their systems. He also suggests IT departments purposefully watch network flows to see what devices are communicating with what parts of the network and then segment devices. For example, your Internet-connected coffee maker likely doesn’t need to talk to your source code server.

Mahaffey goes farther to say that the device vendors themselves should start penetration testing their devices and that the companies who use them should do the same. Otherwise, we’ll suffer from the fact that many of these devices do not get patched often but do get closer and closer to the critical systems we use in our businesses every day.

Kevin Mahaffey image via Meghan Kelly/VentureBeat

We focus too much on finding out who hacked us and not enough on using big data to protect ourselves from the hack in the first place, Arthur Coviello, security firm RSA’s executive chairman, said on stage today at the RSA conference in San Francisco. One of the main ways we can use data is sharing information about our hacks with other companies.

“Do we really need to see a smoking gun to know there’s a dead body on the floor?” Coviello asked the conference crowd. “Sure we should continue to work to out the perpetrators, but for the most part, we know who they are.”

In 2012, Coviello said, we collected one zettabyte of data. That’s the equivalent of 4.9 quadrillion books. But, according to IDC, only one percent of that is actually analyzed, and not all of that one percent can be used for security purposes. So much of a hacked company’s time and attention is spent on naming the attackers, and it makes sense. Everyone who has ever watched a cop show knows we want the culprit caught red-handed. But this can become a distraction from actually preventing attacks.

The way to start on the path to using this data, Coviello said, is for companies to share attack information with each other so that we can use big data and an understanding of attacks in our environments to prepare for the next ones. It’s a controversial idea, however. Companies don’t exactly jump to explain how people got into their systems. In fact, if customer information isn’t involved, an attack on a company may never be revealed.

There’s a movement, however, in that direction. Facebook, Apple, Microsoft, and Twitter all revealed they were hacked in the last two weeks alone. Facebook and Twitter lead the pack, saying they know they weren’t the only ones and they wanted others to be aware of the attack. Whether these companies share information about the attack, however, is unknown. It’s those kinds of conversation that Coviello hopes we’ll start to see more of.

Arthur Coviello image via Meghan Kelly/VentureBeat