Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/17/2019
12:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'We Want IoT Security Regulation,' Say 95% of IT Decision-Makers

New global survey shows businesses are valuing IoT security more highly, but they are still challenged by IoT data visibility and privacy.

IT professionals often see government regulation as a last resort or even a hindrance to solving their problems. Yet when it comes to Internet of Things (IoT) security, 96% of IT decision-makers say government regulation is necessary – even though some wouldn't actually want it.

Findings come from a Gemalto survey, released Tuesday, of 950 IT and business decision-makers across the globe. One-third of the respondents say they create IoT devices, 30% create IoT software, 30% are IoT integrators, and half use IoT devices created by a third party. (Multiple responses were allowed.)

"If I'm really, really honest, my true belief before this report was that we have learned nothing," says Jason Hart, CTO of data protection at Gemalto. A former ethical hacker in the security business for over 20 years, Hart says he thought businesses' and individuals' cybersecurity perceptions and habits had never improved. "Have we woken up? Is this the turning point where security becomes default?" he asks.

Hart is cautious, though, about what form IoT security regulation might take. What do respondents want most from global regulation? According to the survey, rules and guidelines on who is responsible for data security at each stage of its life cycle (59%) and which methods should be used to secure data storage (59%). 

"You could have a teddy bear that's IoT-enabled – that's data that has minimal impact," Hart explains. "On the other hand, you have a medical device. ... So my point is we need a sliding scale." 

The onus for IoT security should be shared by a variety of stakeholders, according to survey respondents, with IoT security providers and cloud providers sharing the dubious honor of the top spot (60%), and IoT manufacturers (55%) and security specialists (50%) close behind.  

To Hart, the responsibility is clearer. "It's down to the [IoT] manufacturers to make it a responsibility from day one," he says.

In his opinion, IoT security can be achieved through a combination of data encryption, authentication/access control, and key management that puts users in control of the keys. The strongest implementations of those technologies require components that must be built in by the manufacturer, he says. Just as there are rules about supply chain safety if there is a problem with your vacuum cleaner or Nespresso machine, there should be ways to protect data. "This isn't a new problem, he says. 

There may be, however, a new awareness of the problem as it relates to cybersecurity.

Fourteen percent of survey respondents say the single best way to describe their organizations' views on IoT security is as "an ethical responsibility." This is an increase from just 4% in 2017.

Responses to the question indicate a shift toward security as business necessity, as opposed to a business add-on. There are increases in "a way to avoid costs of failure and brand damage" (from 9% in 2017 to 14%) and "regulatory requirement" (from 10% to 13%), but drops in "as a revenue driver" (from 18% to 9%), "as a secure foundation to offer new services" (way down from 32% to 24%), and "as a PR exercise to attract customers" (from 10% to 7%).

Companies are also increasing their investments in security, with 13.15% of their IoT spend devoted to security, up from 11.07% in 2017, according to the survey

That investment may increasingly go to tackling data privacy and security. Respondents say that their top IoT challenges are ensuring data privacy (38%) and that large amounts of data are being collected (34%); authenticating device access and validating identities also made the list.

Most of the respondents are relatively confident in their ability to detect an IoT breach: Although only 48% say they are confident they could detect one on every IoT product, an additional 39% saud they could detect it on at least some.

"The key thing for me is the increased awareness of the privacy of data" and seeing the value of data, Hart says. "That's a huge step forward." 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15150
PUBLISHED: 2019-08-19
In the OAuth2 Client extension before 0.4 for MediaWiki, a CSRF vulnerability exists due to the OAuth2 state parameter not being checked in the callback function.
CVE-2017-18550
PUBLISHED: 2019-08-19
An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_get_hba_info does not initialize the hbainfo structure.
CVE-2017-18551
PUBLISHED: 2019-08-19
An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated.
CVE-2017-18552
PUBLISHED: 2019-08-19
An issue was discovered in net/rds/af_rds.c in the Linux kernel before 4.11. There is an out of bounds write and read in the function rds_recv_track_latency.
CVE-2018-20976
PUBLISHED: 2019-08-19
An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.