Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/17/2019
12:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'We Want IoT Security Regulation,' Say 95% of IT Decision-Makers

New global survey shows businesses are valuing IoT security more highly, but they are still challenged by IoT data visibility and privacy.

IT professionals often see government regulation as a last resort or even a hindrance to solving their problems. Yet when it comes to Internet of Things (IoT) security, 96% of IT decision-makers say government regulation is necessary – even though some wouldn't actually want it.

Findings come from a Gemalto survey, released Tuesday, of 950 IT and business decision-makers across the globe. One-third of the respondents say they create IoT devices, 30% create IoT software, 30% are IoT integrators, and half use IoT devices created by a third party. (Multiple responses were allowed.)

"If I'm really, really honest, my true belief before this report was that we have learned nothing," says Jason Hart, CTO of data protection at Gemalto. A former ethical hacker in the security business for over 20 years, Hart says he thought businesses' and individuals' cybersecurity perceptions and habits had never improved. "Have we woken up? Is this the turning point where security becomes default?" he asks.

Hart is cautious, though, about what form IoT security regulation might take. What do respondents want most from global regulation? According to the survey, rules and guidelines on who is responsible for data security at each stage of its life cycle (59%) and which methods should be used to secure data storage (59%). 

"You could have a teddy bear that's IoT-enabled – that's data that has minimal impact," Hart explains. "On the other hand, you have a medical device. ... So my point is we need a sliding scale." 

The onus for IoT security should be shared by a variety of stakeholders, according to survey respondents, with IoT security providers and cloud providers sharing the dubious honor of the top spot (60%), and IoT manufacturers (55%) and security specialists (50%) close behind.  

To Hart, the responsibility is clearer. "It's down to the [IoT] manufacturers to make it a responsibility from day one," he says.

In his opinion, IoT security can be achieved through a combination of data encryption, authentication/access control, and key management that puts users in control of the keys. The strongest implementations of those technologies require components that must be built in by the manufacturer, he says. Just as there are rules about supply chain safety if there is a problem with your vacuum cleaner or Nespresso machine, there should be ways to protect data. "This isn't a new problem, he says. 

There may be, however, a new awareness of the problem as it relates to cybersecurity.

Fourteen percent of survey respondents say the single best way to describe their organizations' views on IoT security is as "an ethical responsibility." This is an increase from just 4% in 2017.

Responses to the question indicate a shift toward security as business necessity, as opposed to a business add-on. There are increases in "a way to avoid costs of failure and brand damage" (from 9% in 2017 to 14%) and "regulatory requirement" (from 10% to 13%), but drops in "as a revenue driver" (from 18% to 9%), "as a secure foundation to offer new services" (way down from 32% to 24%), and "as a PR exercise to attract customers" (from 10% to 7%).

Companies are also increasing their investments in security, with 13.15% of their IoT spend devoted to security, up from 11.07% in 2017, according to the survey

That investment may increasingly go to tackling data privacy and security. Respondents say that their top IoT challenges are ensuring data privacy (38%) and that large amounts of data are being collected (34%); authenticating device access and validating identities also made the list.

Most of the respondents are relatively confident in their ability to detect an IoT breach: Although only 48% say they are confident they could detect one on every IoT product, an additional 39% saud they could detect it on at least some.

"The key thing for me is the increased awareness of the privacy of data" and seeing the value of data, Hart says. "That's a huge step forward." 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
CVE-2019-4409
PUBLISHED: 2019-10-18
HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...