Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/17/2019
12:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'We Want IoT Security Regulation,' Say 95% of IT Decision-Makers

New global survey shows businesses are valuing IoT security more highly, but they are still challenged by IoT data visibility and privacy.

IT professionals often see government regulation as a last resort or even a hindrance to solving their problems. Yet when it comes to Internet of Things (IoT) security, 96% of IT decision-makers say government regulation is necessary – even though some wouldn't actually want it.

Findings come from a Gemalto survey, released Tuesday, of 950 IT and business decision-makers across the globe. One-third of the respondents say they create IoT devices, 30% create IoT software, 30% are IoT integrators, and half use IoT devices created by a third party. (Multiple responses were allowed.)

"If I'm really, really honest, my true belief before this report was that we have learned nothing," says Jason Hart, CTO of data protection at Gemalto. A former ethical hacker in the security business for over 20 years, Hart says he thought businesses' and individuals' cybersecurity perceptions and habits had never improved. "Have we woken up? Is this the turning point where security becomes default?" he asks.

Hart is cautious, though, about what form IoT security regulation might take. What do respondents want most from global regulation? According to the survey, rules and guidelines on who is responsible for data security at each stage of its life cycle (59%) and which methods should be used to secure data storage (59%). 

"You could have a teddy bear that's IoT-enabled – that's data that has minimal impact," Hart explains. "On the other hand, you have a medical device. ... So my point is we need a sliding scale." 

The onus for IoT security should be shared by a variety of stakeholders, according to survey respondents, with IoT security providers and cloud providers sharing the dubious honor of the top spot (60%), and IoT manufacturers (55%) and security specialists (50%) close behind.  

To Hart, the responsibility is clearer. "It's down to the [IoT] manufacturers to make it a responsibility from day one," he says.

In his opinion, IoT security can be achieved through a combination of data encryption, authentication/access control, and key management that puts users in control of the keys. The strongest implementations of those technologies require components that must be built in by the manufacturer, he says. Just as there are rules about supply chain safety if there is a problem with your vacuum cleaner or Nespresso machine, there should be ways to protect data. "This isn't a new problem, he says. 

There may be, however, a new awareness of the problem as it relates to cybersecurity.

Fourteen percent of survey respondents say the single best way to describe their organizations' views on IoT security is as "an ethical responsibility." This is an increase from just 4% in 2017.

Responses to the question indicate a shift toward security as business necessity, as opposed to a business add-on. There are increases in "a way to avoid costs of failure and brand damage" (from 9% in 2017 to 14%) and "regulatory requirement" (from 10% to 13%), but drops in "as a revenue driver" (from 18% to 9%), "as a secure foundation to offer new services" (way down from 32% to 24%), and "as a PR exercise to attract customers" (from 10% to 7%).

Companies are also increasing their investments in security, with 13.15% of their IoT spend devoted to security, up from 11.07% in 2017, according to the survey

That investment may increasingly go to tackling data privacy and security. Respondents say that their top IoT challenges are ensuring data privacy (38%) and that large amounts of data are being collected (34%); authenticating device access and validating identities also made the list.

Most of the respondents are relatively confident in their ability to detect an IoT breach: Although only 48% say they are confident they could detect one on every IoT product, an additional 39% saud they could detect it on at least some.

"The key thing for me is the increased awareness of the privacy of data" and seeing the value of data, Hart says. "That's a huge step forward." 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19040
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
CVE-2019-19041
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.