The Internet of Things (IoT) is ramping up, with 92 percent of companies saying it will be extremely important in the next two years. Yet, companies not prioritizing security for their IoT deployments may face significant losses upwards of tens of millions of dollars. The State of IoT Security Survey explores security behaviors and common practices among the best companies.
While it may seem that we are living in a highly connected world, the reality is we are just getting started when it comes to digital connectivity of all the devices we use in our daily lives. The move to connect everything, from thermostats to sensors in your car and even your oven, are steps in the process to full connectivity and are a good indication that the Internet of Things (IoT) will continue to explode all around us. So much so, that analysts predict there will be 80 billion connected devices by 2025. This brings incredible opportunities for advances in technologies previously only dreamed of, and with these opportunities come new security risks. Eighty billion devices coming to market in a relatively short period of time opens up an array of new ways for bad actors to try and gain access to networks through these devices. In fact, experts say the massive DDoS attacks we’re seeing targeted on IoT devices are only the beginning.
With good reason, many organizations are drawn to IoT with its ability to improve customer experiences, grow revenue, and increase efficiency and business agility, but what enterprises need to come to terms with is that without a solid foundation of security and privacy, IoT can quickly turn on them.
To understand how enterprises globally are handling new security risks arising from IoT, DigiCert commissioned ReRez Research to conduct a survey of 700 enterprise organizations in the US, UK, Germany, France, and Japan. The study found that while some companies are doing well with IoT others are struggling.
Many enterprises have even started to experience significant monetary loss from their IoT roll-outs. In fact, among companies struggling the most with IoT security, 25 percent reported IoT security-related losses of at least $34 million in the last two years. Considering that IoT is expected to grow exponentially in the coming years, that number will continue to grow unless changes are made and IoT security is brought in at the beginning and managed all the way through an organization’s IoT implementation.
The study shows that companies which place a focus on IoT security early on (top-tier) and are seen as effectively managing IoT have a far lower rate of IoT-related security incidents, with only one-third experiencing a related incident. On the other hand, 100 percent of companies considered to be struggling with IoT deployment and security (bottom-tier) report experiencing at least one IoT-related security incident in the last two years. We saw other differences between the two groups as it relates to IoT-related security incidents:
- Bottom-tier companies are more than six times as likely to have experienced IoT-based Denial of Service attacks
- More than six times as likely to have experienced Unauthorized Access to IoT Devices
- Nearly six times as likely to have experienced IoT-based Data Breaches
- 5 times as likely to have experienced IoT-based Malware or Ransomware attacks
We followed up on these missteps by asking how much each type of mishap cost the organization over the past two years. The most expensive damages came from five areas:
- 59 percent of bottom-tier respondents reported Monetary damages
- 59 percent of bottom-tier respondents reported Lost productivity
- 43 percent of bottom-tier respondents reported Legal/compliance penalties
- 40 percent of bottom-tier respondents reported Lost reputation
- 31 percent of bottom-tier respondents reported Stock price
Despite the challenges, the data has shown that proper consideration of IoT risks coupled with deployment of scalable security basics that address authentication, encryption and integrity help companies build effective defenses against security threats.
The study also looked at the enterprises that are succeeding at IoT to glean wisdom and best practices. The most common security practices these companies engaged in were:
- Encryption of sensitive data
- Ensuring the integrity of data being transmitted to or from a device
- Scaling your security measures
- Securing over the air updates
- Secure software-based key storage
Based on their experiences and feedback, the following best practices will help companies as they roll out their own IoT strategies:
- Review risk: Perform penetration testing to assess the risk of connected devices. Evaluate the risk and build a priority list for addressing primary security concerns, such as authentication and encryption. A strong risk assessment will help assure you do not leave any gaps in your connected security landscape.
- Encrypt everything: As you evaluate use cases for your connected devices, make sure that all data is encrypted at rest and in transit. Make end-to-end encryption a product requirement to ensure this key security feature is implemented in all of your IoT projects.
- Authenticate always: Review all of the connections being made to your device, including digital and human to ensure authentication schemes only allow trusted connections to your IoT device. Using digital certificates helps to provide seamless authentication with binded identities tied to cryptographic protocols.
- Instill integrity: Account for the basics of device and data integrity to include secure boot every time the device starts up, secure over the air updates and using code signing to ensure the integrity of any code being run on the device.
- Strategize for scale: Make sure that you have a scalable security framework and architecture ready to support your IoT deployments. Plan accordingly and work with third parties that have the scale and focus to help you reach your goals so that you can focus on your company’s core competency.
According to IDC Research, there are nearly three devices attached to the internet for every human on the planet. By 2025 that ratio will soar to 10 to 1. I think it’s safe to say that IoT will be around for a while. To make IoT a successful part of the business, organizations need to be vigilant when it comes to maintaining the integrity of their IoT systems.
For more information on the report and how your organization can act like the top-tier companies, get a copy of the full report here: https://www.digicert.com/state-of-iot-security-survey/.