Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/17/2019
12:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'We Want IoT Security Regulation,' Say 95% of IT Decision-Makers

New global survey shows businesses are valuing IoT security more highly, but they are still challenged by IoT data visibility and privacy.

IT professionals often see government regulation as a last resort or even a hindrance to solving their problems. Yet when it comes to Internet of Things (IoT) security, 96% of IT decision-makers say government regulation is necessary – even though some wouldn't actually want it.

Findings come from a Gemalto survey, released Tuesday, of 950 IT and business decision-makers across the globe. One-third of the respondents say they create IoT devices, 30% create IoT software, 30% are IoT integrators, and half use IoT devices created by a third party. (Multiple responses were allowed.)

"If I'm really, really honest, my true belief before this report was that we have learned nothing," says Jason Hart, CTO of data protection at Gemalto. A former ethical hacker in the security business for over 20 years, Hart says he thought businesses' and individuals' cybersecurity perceptions and habits had never improved. "Have we woken up? Is this the turning point where security becomes default?" he asks.

Hart is cautious, though, about what form IoT security regulation might take. What do respondents want most from global regulation? According to the survey, rules and guidelines on who is responsible for data security at each stage of its life cycle (59%) and which methods should be used to secure data storage (59%). 

"You could have a teddy bear that's IoT-enabled – that's data that has minimal impact," Hart explains. "On the other hand, you have a medical device. ... So my point is we need a sliding scale." 

The onus for IoT security should be shared by a variety of stakeholders, according to survey respondents, with IoT security providers and cloud providers sharing the dubious honor of the top spot (60%), and IoT manufacturers (55%) and security specialists (50%) close behind.  

To Hart, the responsibility is clearer. "It's down to the [IoT] manufacturers to make it a responsibility from day one," he says.

In his opinion, IoT security can be achieved through a combination of data encryption, authentication/access control, and key management that puts users in control of the keys. The strongest implementations of those technologies require components that must be built in by the manufacturer, he says. Just as there are rules about supply chain safety if there is a problem with your vacuum cleaner or Nespresso machine, there should be ways to protect data. "This isn't a new problem, he says. 

There may be, however, a new awareness of the problem as it relates to cybersecurity.

Fourteen percent of survey respondents say the single best way to describe their organizations' views on IoT security is as "an ethical responsibility." This is an increase from just 4% in 2017.

Responses to the question indicate a shift toward security as business necessity, as opposed to a business add-on. There are increases in "a way to avoid costs of failure and brand damage" (from 9% in 2017 to 14%) and "regulatory requirement" (from 10% to 13%), but drops in "as a revenue driver" (from 18% to 9%), "as a secure foundation to offer new services" (way down from 32% to 24%), and "as a PR exercise to attract customers" (from 10% to 7%).

Companies are also increasing their investments in security, with 13.15% of their IoT spend devoted to security, up from 11.07% in 2017, according to the survey

That investment may increasingly go to tackling data privacy and security. Respondents say that their top IoT challenges are ensuring data privacy (38%) and that large amounts of data are being collected (34%); authenticating device access and validating identities also made the list.

Most of the respondents are relatively confident in their ability to detect an IoT breach: Although only 48% say they are confident they could detect one on every IoT product, an additional 39% saud they could detect it on at least some.

"The key thing for me is the increased awareness of the privacy of data" and seeing the value of data, Hart says. "That's a huge step forward." 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13873
PUBLISHED: 2021-05-12
A SQL Injection vulnerability in get_topic_info() in sys/CODOF/Forum/Topic.php in Codoforum before 4.9 allows remote attackers (pre-authentication) to bypass the admin page via a leaked password-reset token of the admin. (As an admin, an attacker can upload a PHP shell and execute remote code on the...
CVE-2020-35198
PUBLISHED: 2021-05-12
An issue was discovered in Wind River VxWorks 7. The memory allocator has a possible integer overflow in calculating a memory block's size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.
CVE-2021-23872
PUBLISHED: 2021-05-12
Privilege Escalation vulnerability in the File Lock component of McAfee Total Protection (MTP) prior to 16.0.32 allows a local user to gain elevated privileges by manipulating a symbolic link in the IOTL interface.
CVE-2021-23891
PUBLISHED: 2021-05-12
Privilege Escalation vulnerability in McAfee Total Protection (MTP) prior to 16.0.32 allows a local user to gain elevated privileges by impersonating a client token which could lead to the bypassing of MTP self-defense.
CVE-2021-23892
PUBLISHED: 2021-05-12
By exploiting a time of check to time of use (TOCTOU) race condition during the Endpoint Security for Linux Threat Prevention and Firewall (ENSL TP/FW) installation process, a local user can perform a privilege escalation attack to obtain administrator privileges for the purpose of executing arbitra...