The IoT era has arrived.
Here's some proof: 83% of organizations say the Internet of Things (IoT) is important to business today, and 92% say it will be in two years.
That's according to a recent DigiCert survey commissioned by ReRez Research of 700 organizations in five countries to better understand the IoT and IoT security.
Anecdotally, I always find that markets have matured when it’s no longer an unusual thing. For example, a few years ago, it was hard to find IoT deployments that were outside of the traditional machine-to-machine industries such as manufacturing and oil and gas. Today, connected things are everywhere. Case in point: I recently interviewed the IT director at an entertainment venue and he walked me through all the connected things without ever saying “IoT.” The organization was connecting more things to improve customer experience, and it was treated as no big deal.
IoT creates new security risks
The near ubiquity of IoT does raise the security flag, as it presents a significant threat vector for hackers to breach companies. DigiCert’s goal in running the survey was to understand the state of IoT adoption, understand security implications, and quantify the benefits of having made the investments in IoT security. The survey focused on the four industry verticals where IoT was most mature — industrial, consumer products, healthcare, and transportation — and sampled companies of all sizes, with the median size being 3,000 employees.
The survey asked what objective companies were trying to achieve with IoT. The top responses were operational efficiency, customer experience, increased revenue, and business agility. It’s been my experience that businesses that are early in the adoption cycle of IoT are looking to cut costs through automation, which leads to better efficiency, but they quickly pivot to customer experience as a way of creating new revenue streams.
The survey also asked about the top concerns regarding IoT, and security was the top response. This should be no surprise, as IoT devices create new entry points.
DigiCert segmented the users into three tiers based on their level of IoT security success:
- Top tier – Businesses that are having the least problems and are less likely to report having IoT security problems
- Middle tier – Organizations that are having some problems with IoT security
- Bottom tier – Companies that are having the most IoT security problems
Each group made up about one-third of the survey, creating nice distribution to analyze the differences between them.
Bottom-tier businesses have significantly more security challenges
DigiCert then compared the top and bottom tiers to quantify the benefits of investing in IoT security. For bottom-tier enterprises, it found they are:
- 38% more likely than top-tier enterprises to rate “Lack of appropriate IoT security-specific skillsets within their organization” as somewhat to extremely challenging
- 27% more likely to find Privacy challenging
- 26% more likely to find Scalability challenging
- 17% more likely to find Security challenging
- 17% more likely to find Lack of standards for security in IoT challenging
- 13% more likely to find Regulation more challenging
Top-tier enterprises experience fewer security incidents
The survey drilled down into actual security events. One interesting data point is that just under one-third of the top-tier saw any incidents at all. Juxtapose this with bottom-tier organizations that saw 100% of companies experience at least one incident, and it should be clear that the security investment can have big pay backs.
Regarding bottom-tier enterprises, they are:
- More than six times as likely to have experienced IoT-based denial of service attacks
- More than six times as likely to have experienced unauthorized access to IoT devices
- Nearly six times as likely to have experienced IoT-based data breaches
- Five times as likely to have experienced IoT-based malware or ransomware attacks
Currently, the number of threat actors focusing on IoT devices is relatively low. I expect, though, that as IoT grows, so will the number of IoT-specific attacks. So, there’s a wave coming, and bottom-tier companies are likely to see a rise in attacks.
IoT security incidents cost bottom-tier businesses real dollars
The survey drilled down a level and looked at the actual cost of the security incidents over the past two years. If ever there was an eye-opener as to the importance of IoT security, it’s the finding that 25% of the bottom-tier enterprises reported at least $34 million in losses in the past two years from IoT security-related losses. For the bottom tier, the costliest damages came from the following area:
- Monetary damages (59%)
- Lost productivity (59%)
- Legal and compliance penalties (43%)
- Lost reputation (40%)
- A hit in stock price (31%)
I don’t want readers to think the top-tier organizations had no security issues because they did, but there were no significant costs associated with the security incidents.
Encryption and integrity are common best practices of top-tier enterprises
With an understanding that the top-tier enterprises have a marked advantage over middle- and bottom-tier companies, it’s worth understanding their best practices. The most common security practices done by the top-tier companies are:
- Encryption of sensitive data
- Ensuring the integrity of data being transmitted to and from a device
- Scaling your security measures
- Securing over-the-air updates
- Secure software-based key storage
5 key best practices for IoT security
Over the next five years there will be tens of billions of IoT devices deployed, and IT leaders need to prepare for this. To help with this, DigiCert provided some recommendations on how to move ahead with IoT while minimizing security risks:
- Review risk: Perform penetration testing to assess the risk of connected devices. Evaluate the risk and build a priority list for addressing primary security concerns, such as authentication and encryption. A strong risk assessment helps assure there are no gaps in the connected security landscape.
- Encrypt everything: When devices are connected, all the data should be encrypted at rest and in transit. Make end-to-end encryption a product requirement to ensure this key security feature is implemented across all IoT endpoints.
- Authenticate always: Review all of the connections being made to the IoT devices, including devices and users, to ensure authentication schemes only allow trusted connections to the endpoints. Digital certificates help provide seamless authentication with binded identities tied to cryptographic protocols.
- Instill integrity: Account for the basics of device and data integrity to include secure boot every time the device starts up, secure over-the-air updates, and use code signing to ensure the integrity of any code being run on the device.
- Strategize for scale: Develop a scalable security framework and architecture ready to support all IoT deployments. Plan accordingly, and work with third parties that have the scale and expertise to help you reach the business goals.