Even as enterprises across the globe hustle to get their Internet of Things business models up and running, there is a sense of foreboding about a rising wave of IoT-related security exposures. And, in fact, IoT-related security incidents have already begun taking a toll at ill-prepared companies.
Related: How to hire an IoT botnet ― for $20
That’s the upshot of an extensive survey commissioned by global TLS, PKI and IoT security solutions leader DigiCert. The 2018 State of IoT Security study took a poll of 700 organizations in the US, UK, Germany, France and Japan and found IoT is well on its way to be to be woven into all facets of daily business operations. Meanwhile, IoT-related security incidents have already started to wreak havoc, according to study findings released today.
Among companies surveyed that are struggling the most with IoT security, 25 percent reported IoT security-related losses of at least $34 million in the last two years. Losses include lost productivity, compliance penalties, lost reputation and stock price declines.
Carried out by ReRez Research , DigiCert’s poll queried senior officials at organizations in the fields of healthcare, industrial manufacturing, consumer products and transportation ranging in size from 999 to 10,000 employees. Some 83% of respondents indicated IoT is extremely important to their organization, while some 92% indicated IoT will be vital within two years.
Respondents cited operational efficiency, customer experience, revenue and business agility as their top IoT objectives; currently two-thirds are engaged with IoT, although only a third have completed implementing their IoT strategy.
“Enterprises today fully grasp the reality that the Internet of Things is upon us and will continue to revolutionize the way we live, work and recreate,” said Mike Nelson, vice president of IoT Security at DigiCert. “The companies with a good handle on things have discovered how to leverage robust authentication and encryption regimes to help maintain the integrity of their IoT systems.”Tiered performances
What I found to be particularly instructive about this survey is that it sheds light on how IoT-related security incidents are playing out in the real world. A series of detailed questions were designed to parse differences between companies handling IoT well versus those struggling with IoT implementation.
Survey results were then divided into tiers; the top tier companies reported the least problems with IoT security issues, while the bottom tier organizations were much more likely to report difficulties mastering specific aspects of IoT security.
From this line of questioning and categorizing comes a picture of enterprises already sustaining varying degrees of monetary losses due to IoT-spawned security weaknesses. Not surprisingly, the enterprises struggling the most with IoT implementation are much more likely to get hit hard by IoT-related security incidents.
Fully 100 percent of bottom-tier companies sustained a IoT security incident in the past two years. Additionally, when compared to top-tier companies, bottom-tier enterprises were found to be:
More than six times as likely to have experienced IoT-based Denial of Service attacks
More than six times as likely to have experienced Unauthorized Access to IoT Devices
Nearly six times as likely to have experienced IoT-based Data Breaches
4.5 times as likely to have experienced IoT-based Malware or Ransomware attacksInterconnected security
Conversely, enterprises found to be largely successful at handling IoT implementation turned out to be well-along in a process of honing a fresh set of best practices and policies specifically to ameliorate IoT-related security issues.
What the top-tier companies have discovered is that “integrating security at the beginning, and all the way through IoT implementations” is pivotal to detecting and deterring fresh forms of cyber attacks, Nelson said.
“We live in a world where we have nearly three Internet-connected devices for every human on the planet. Beyond our smartphones and smart TVs, that includes smart thermostats, sensors throughout your automobile, medical devices and complex industrial controls running our power plants and factories,” Nelson observed. “Enterprises are finding there’s no escape they must address head-on the unprecedented exposures arising from this massively increased threat surface.”
Respondents from top-tier enterprises acknowledged experiencing security missteps, though the damage reported was generally nominal. The most common security practices in place at top-tier enterprises were:
Encryption of sensitive data
Ensuring the integrity of data being transmitted to or from a device
Scaling your security measures
Securing over the air updates
Secure software-based key storage
Securing the IoT ExplosionBest practices roadmap
The silver lining in these findings may be that some companies have figured out how to implement best practices and policies specifically designed to mitigate IoT-related security exposures. My hope is that these forward-thinking companies may be giving shape to an IoT security roadmap for others to follow.
In the conclusion of its survey report, DigiCert puts a sharper point to IoT-related best security practices company can use as a general guide. It bears repeating:
Review risk:Perform penetration testing to assess the risk of connected devices. Evaluate the risk and build a priority list for addressing primary security concerns, such as authentication and encryption. A strong risk assessment will help assure you do not leave any gaps in your connected security landscape.
Encrypt everything: As you evaluate use cases for your connected devices, make sure that all data is encrypted at rest and in transit. Make end-to-end encryption a product requirement to ensure this key security feature is implemented in all of your IoT projects.
Authenticate always:Review all of the connections being made to your device, including digital and human to ensure authentication schemes only allow trusted connections to your IoT device. Using digital certificates helps to provide seamless authentication with binded identities tied to cryptographic protocols.
Instill integrity:Account for the basics of device and data integrity to include secure boot every time the device starts up, secure over the air updates and using code signing to ensure the integrity of any code being run on the device.
Strategize for scale:Make sure that you have a scalable security framework and architecture ready to support your IoT deployments. Plan accordingly and work with third parties that have the scale and focus to help you reach your goals so that you can focus on your company’s core competency.
(Editor’s note: LW has provided consulting services to DigiCert.)