Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

11/20/2018
09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

IoT Security Problems Can Cost Enterprises Millions

A survey by DigiCert finds that the IoT is a priority for most companies, but many enterprises struggle when it comes to security and privacy. This can translate into firms losing millions.

The Internet of Things is becoming increasingly important to most businesses, but many of those organizations aren't making security around all those intelligent connected devices a priority, according to researchers at cybersecurity firm DigiCert.

In fact, a report by DigiCert found that among those companies that are having the most difficulty securing their IoT environments, 25% report that they had lost at least $34 million over the last two years due to security-related issues. That number will grow unless companies that bring connected devices into the fold start taking steps to increase the security round them.

"The security challenges presented by IoT are similar to the many IT and internet security challenges industries have faced for years," Mike Nelson, vice president of IoT security at DigiCert, told Security Now in an email. "Encryption of data in transit, authentication of connections, ensuring the integrity of data -- these challenges are not new. However, in the IoT ecosystem these challenges require new and unique ways of thinking to make sure the way you're solving those challenges works. Regarding evolution of security challenges, the biggest challenge is simply the scale and the magnitude of growth. Having scalable solutions is going to be critical."

Organizations also will have to deal with the issue of securing the interoperability of these myriad devices. In the coming years, "it won't be sufficient for an organization to simply secure the connections their device makes with other internal resources," Nelson said. "IoT devices will be connecting to each other and other systems and the secure interoperability of those connections will be a unique challenge."

The benefits and challenges of the IoT have been known for several years.

Smart connected devices -- from in-home thermostats to industrial systems -- can improve customer experiences, increase revenue, improve efficiency and agility within a business and reduce costs. However, the ever-growing numbers of connected devices also vastly expands the attack surface for bad actors, putting both security and privacy at risk.

A growing industry
Some vendors and analysts have predicted that by 2020, there will be 20 billion or more connected devices worldwide, and that could grow to 80 billion by 2025, with spending on the IoT increasing from $80 billion last year to almost $1.4 trillion by 2021, according to IDC analysts. Attacks against IoT devices also have increased, with growing concerns about the rise of DDoS attacks, like the one in 2016 that brought down the DNS service.

Consumers also are concerned about security, so much so that these concerns are slowing the adoption of IoT, F-Secure wrote in a recent report. (See IoT Device Adoption Hampered by Consumer's Security Concerns.)

DigiCert's report, “State of IoT Security," found that 82% of companies surveyed reported that security was a top concern when implementing IoT, while 78% said privacy was another. That comes as 83% said IoT is important to their businesses today and 92% said it will be important by 2020. Most companies are just getting started; only a third said they had completed implementing an IoT strategy. DigiCert hired ReRez Research surveyed 700 organizations from around the world for the survey.

DigiCert sorted the companies into three tiers -- those having the fewest IoT security problems, those scoring in the middle with their security results and a bottom tier for those having the most difficulties. Those $34 million in losses by some of these companies include everything from financial damages and lost productivity to a hit on their reputations and declining stock prices. DigiCert’s Nelson said the collection of companies surveyed were a "mixed bag" when it comes to security and privacy.

"There are organizations that are prioritizing security because they see and understand the risks of not doing it, and there are other organizations that have made the decision to not prioritize security or privacy," he said, adding that organizations spend money due to pain or opportunity. "Some organizations haven't felt or experienced the pain of dealing with a data breech or having malware embedded on a fleet of their devices and because of that, they are more reluctant to spend the money. Regarding opportunity, I don't see product security as being a strong enough product differentiator to motivate organizations to act."

However, those companies implementing security practices are getting better at it, he said. Security isn't something that just happens; it takes time, experience, the right people and a change in how a company thinks about a product.

"The biggest cause of struggle is lack of executive support to build a robust security program," Nelson said. "Once an organization prioritizes it, they then need to recruit people with the right skill set to solve the problems they have. I've seen organizations transfer a resource from audit or regulatory to run product security. These decisions need to be made carefully because good cybersecurity isn't something that can be learned overnight. People with the right expertise are needed in order to be successful bringing solutions forward."

Key steps companies need to take include encrypting sensitive data, ensuring the integrity of data in transit, scaling security measures, securing over-the-air updates and securing software-based encryption key storage, he said.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27218
PUBLISHED: 2020-11-28
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is ...
CVE-2020-29367
PUBLISHED: 2020-11-27
blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.
CVE-2020-26245
PUBLISHED: 2020-11-27
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sani...
CVE-2017-15682
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
CVE-2017-15683
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.