Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

IoT Security Problems Can Cost Enterprises Millions

A survey by DigiCert finds that the IoT is a priority for most companies, but many enterprises struggle when it comes to security and privacy. This can translate into firms losing millions.

The Internet of Things is becoming increasingly important to most businesses, but many of those organizations aren't making security around all those intelligent connected devices a priority, according to researchers at cybersecurity firm DigiCert.

In fact, a report by DigiCert found that among those companies that are having the most difficulty securing their IoT environments, 25% report that they had lost at least $34 million over the last two years due to security-related issues. That number will grow unless companies that bring connected devices into the fold start taking steps to increase the security round them.

"The security challenges presented by IoT are similar to the many IT and internet security challenges industries have faced for years," Mike Nelson, vice president of IoT security at DigiCert, told Security Now in an email. "Encryption of data in transit, authentication of connections, ensuring the integrity of data -- these challenges are not new. However, in the IoT ecosystem these challenges require new and unique ways of thinking to make sure the way you're solving those challenges works. Regarding evolution of security challenges, the biggest challenge is simply the scale and the magnitude of growth. Having scalable solutions is going to be critical."

Organizations also will have to deal with the issue of securing the interoperability of these myriad devices. In the coming years, "it won't be sufficient for an organization to simply secure the connections their device makes with other internal resources," Nelson said. "IoT devices will be connecting to each other and other systems and the secure interoperability of those connections will be a unique challenge."

The benefits and challenges of the IoT have been known for several years.

Smart connected devices -- from in-home thermostats to industrial systems -- can improve customer experiences, increase revenue, improve efficiency and agility within a business and reduce costs. However, the ever-growing numbers of connected devices also vastly expands the attack surface for bad actors, putting both security and privacy at risk.

A growing industry
Some vendors and analysts have predicted that by 2020, there will be 20 billion or more connected devices worldwide, and that could grow to 80 billion by 2025, with spending on the IoT increasing from $80 billion last year to almost $1.4 trillion by 2021, according to IDC analysts. Attacks against IoT devices also have increased, with growing concerns about the rise of DDoS attacks, like the one in 2016 that brought down the DNS service.

Consumers also are concerned about security, so much so that these concerns are slowing the adoption of IoT, F-Secure wrote in a recent report. (See IoT Device Adoption Hampered by Consumer's Security Concerns.)

DigiCert's report, “State of IoT Security," found that 82% of companies surveyed reported that security was a top concern when implementing IoT, while 78% said privacy was another. That comes as 83% said IoT is important to their businesses today and 92% said it will be important by 2020. Most companies are just getting started; only a third said they had completed implementing an IoT strategy. DigiCert hired ReRez Research surveyed 700 organizations from around the world for the survey.

DigiCert sorted the companies into three tiers -- those having the fewest IoT security problems, those scoring in the middle with their security results and a bottom tier for those having the most difficulties. Those $34 million in losses by some of these companies include everything from financial damages and lost productivity to a hit on their reputations and declining stock prices. DigiCert’s Nelson said the collection of companies surveyed were a "mixed bag" when it comes to security and privacy.

"There are organizations that are prioritizing security because they see and understand the risks of not doing it, and there are other organizations that have made the decision to not prioritize security or privacy," he said, adding that organizations spend money due to pain or opportunity. "Some organizations haven't felt or experienced the pain of dealing with a data breech or having malware embedded on a fleet of their devices and because of that, they are more reluctant to spend the money. Regarding opportunity, I don't see product security as being a strong enough product differentiator to motivate organizations to act."

However, those companies implementing security practices are getting better at it, he said. Security isn't something that just happens; it takes time, experience, the right people and a change in how a company thinks about a product.

"The biggest cause of struggle is lack of executive support to build a robust security program," Nelson said. "Once an organization prioritizes it, they then need to recruit people with the right skill set to solve the problems they have. I've seen organizations transfer a resource from audit or regulatory to run product security. These decisions need to be made carefully because good cybersecurity isn't something that can be learned overnight. People with the right expertise are needed in order to be successful bringing solutions forward."

Key steps companies need to take include encrypting sensitive data, ensuring the integrity of data in transit, scaling security measures, securing over-the-air updates and securing software-based encryption key storage, he said.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183
PUBLISHED: 2020-08-11
The Temi application 1.3.3 through 1.3.7931 for Android has hard-coded credentials.
PUBLISHED: 2020-08-11
radare2 4.5.0 misparses signature information in PE files, causing a segmentation fault in r_x509_parse_algorithmidentifier in libr/util/x509.c. This is due to a malformed object identifier in IMAGE_DIRECTORY_ENTRY_SECURITY.