IT professionals often see government regulation as a last resort or even a hindrance to solving their problems. Yet when it comes to Internet of Things (IoT) security, 96% of IT decision-makers say government regulation is necessary – even though some wouldn't actually want it.
Findings come from a Gemalto survey, released Tuesday, of 950 IT and business decision-makers across the globe. One-third of the respondents say they create IoT devices, 30% create IoT software, 30% are IoT integrators, and half use IoT devices created by a third party. (Multiple responses were allowed.)
"If I'm really, really honest, my true belief before this report was that we have learned nothing," says Jason Hart, CTO of data protection at Gemalto. A former ethical hacker in the security business for over 20 years, Hart says he thought businesses' and individuals' cybersecurity perceptions and habits had never improved. "Have we woken up? Is this the turning point where security becomes default?" he asks.
Hart is cautious, though, about what form IoT security regulation might take. What do respondents want most from global regulation? According to the survey, rules and guidelines on who is responsible for data security at each stage of its life cycle (59%) and which methods should be used to secure data storage (59%).
"You could have a teddy bear that's IoT-enabled – that's data that has minimal impact," Hart explains. "On the other hand, you have a medical device. ... So my point is we need a sliding scale."
The onus for IoT security should be shared by a variety of stakeholders, according to survey respondents, with IoT security providers and cloud providers sharing the dubious honor of the top spot (60%), and IoT manufacturers (55%) and security specialists (50%) close behind.
To Hart, the responsibility is clearer. "It's down to the [IoT] manufacturers to make it a responsibility from day one," he says.
In his opinion, IoT security can be achieved through a combination of data encryption, authentication/access control, and key management that puts users in control of the keys. The strongest implementations of those technologies require components that must be built in by the manufacturer, he says. Just as there are rules about supply chain safety if there is a problem with your vacuum cleaner or Nespresso machine, there should be ways to protect data. "This isn't a new problem, he says.
There may be, however, a new awareness of the problem as it relates to cybersecurity.
Fourteen percent of survey respondents say the single best way to describe their organizations' views on IoT security is as "an ethical responsibility." This is an increase from just 4% in 2017.
Responses to the question indicate a shift toward security as business necessity, as opposed to a business add-on. There are increases in "a way to avoid costs of failure and brand damage" (from 9% in 2017 to 14%) and "regulatory requirement" (from 10% to 13%), but drops in "as a revenue driver" (from 18% to 9%), "as a secure foundation to offer new services" (way down from 32% to 24%), and "as a PR exercise to attract customers" (from 10% to 7%).
Companies are also increasing their investments in security, with 13.15% of their IoT spend devoted to security, up from 11.07% in 2017, according to the survey.
That investment may increasingly go to tackling data privacy and security. Respondents say that their top IoT challenges are ensuring data privacy (38%) and that large amounts of data are being collected (34%); authenticating device access and validating identities also made the list.
Most of the respondents are relatively confident in their ability to detect an IoT breach: Although only 48% say they are confident they could detect one on every IoT product, an additional 39% saud they could detect it on at least some.
"The key thing for me is the increased awareness of the privacy of data" and seeing the value of data, Hart says. "That's a huge step forward."Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio