Even as the Internet of Things (IoT) makes major shifts in the world of both consumer and industrial electronics, it opens a door to soaring security threats. Electronics OEMs must safeguard both the manufacturing lines where they build connected products as well as the products they are making.
Today, there are nearly three devices attached to the Internet for every human being on the planet, according to IDC Research. By 2025, that ratio will become 10 to 1. More connected devices translate into a massive threat service that hackers can leverage to launch distributed denial of service (DDoS) attacks and other threats.
Already, organizations are experiencing losses related to a lack of good practices around IoT. “Implementation of IoT that doesn’t deal with security or privacy creates tremendous risk,” Mike Nelson, vice president, IoT Security at DigiCert, told EBN. Among the least-IoT security savvy companies, one quarter reported IoT security-related losses of at least $34 million in the last two years, according to DigiCert.
DigiCert’s recently-released 2018 State of IoT Survey reveals that enterprises are aware of the threat that IoT poses to security, privacy and regulatory compliance. They are also concerned about cost. “Security is absolutely critical not just for consumers but organizations,” Nelson said. “Considering the risk that insecure devices present to the business, it is much less to invest in security up front than to wait and deal with an attack.”
Currently, most organizations (83%) report that IoT is somewhat to extremely important to their business. Organizations are counting on the technology to increase operational efficiency, improve customer experience, grow revenues, and achieve business agility. By 2020, IoT will be critical for 92% of businesses, the report found. The survey brought in responses from 700 organizations around the world and covered a mix of verticals and organizational sizes.
Capabilities around IoT security vary wildly. DigiCert divided its results into the top tier, which have few IoT security issues; the middle tier, which are moderately successful in terms of security; and bottom tier, which have trouble mastering IoT security. Those on the bottom tier are 38% more likely to report a lack of IoT security specific skillsets in their organizations. They are more likely to find privacy, scalability, security, lack of standards, and shifting regulations challenging.
Those fears are reasonable. While only one in three top-tier organizations reported security incidents related to IoT, all bottom tier enterprises suffered at least one incident. These less sophisticated enterprises are more than six times likely to experience IoT-based Denial of Service attacks, unauthorized access to IoT devcies, and IoT-based data breaches. They are also more than 4.5 times as likely to suffer from IoT-based malware and ransomware attacks.
Bottom tier organizations are facing a number of hurdles, Nelson said. Often, they lack executive support or are unwilling to put resources into security projects. Some need more time to build security processes or haven’t integrated IoT security in the product development life cycle, he added.
DigiCert offers five best practices to help companies pursuing IoT to bring the organization into the top tier:
- Review risk: Perform penetration testing to assess the risk of connected devices. Evaluate the risk and build a priority list for addressing primary security concerns, such as authentication and encryption. A strong risk assessment will help assure you do not leave any gaps in your connected security landscape.
- Encrypt everything: As you evaluate use cases for your connected devices, make sure that all data is encrypted at rest and in transit. Make end-to-end encryption a product requirement to ensure this key security feature is implemented in all of your IoT projects.
- Authenticate always: Review all of the connections being made to your device, including digital and human to ensure authentication schemes only allow trusted connections to your IoT device. Using digital certificates helps to provide seamless authentication with binded identities tied to cryptographic protocols.
- Instill integrity: Account for the basics of device and data integrity to include secure boot every time the device starts up, secure over the air updates and using code signing to ensure the integrity of any code being run on the device.
- Strategize for scale: Make sure that you have a scalable security framework and architecture ready to support your IoT deployments. Plan accordingly and work with third parties that have the scale and focus to help you reach your goals so that you can focus on your company’s core competency.
— Hailey Lynne McKeefry, Editor in Chief, EBN