The Internet of Things is becoming increasingly important to most businesses, but many of those organizations aren't making security around all those intelligent connected devices a priority, according to researchers at cybersecurity firm DigiCert.
In fact, a report by DigiCert found that among those companies that are having the most difficulty securing their IoT environments, 25% report that they had lost at least $34 million over the last two years due to security-related issues. That number will grow unless companies that bring connected devices into the fold start taking steps to increase the security round them.
"The security challenges presented by IoT are similar to the many IT and internet security challenges industries have faced for years," Mike Nelson, vice president of IoT security at DigiCert, told Security Now in an email. "Encryption of data in transit, authentication of connections, ensuring the integrity of data -- these challenges are not new. However, in the IoT ecosystem these challenges require new and unique ways of thinking to make sure the way you're solving those challenges works. Regarding evolution of security challenges, the biggest challenge is simply the scale and the magnitude of growth. Having scalable solutions is going to be critical."
Organizations also will have to deal with the issue of securing the interoperability of these myriad devices. In the coming years, "it won't be sufficient for an organization to simply secure the connections their device makes with other internal resources," Nelson said. "IoT devices will be connecting to each other and other systems and the secure interoperability of those connections will be a unique challenge."
The benefits and challenges of the IoT have been known for several years.
Smart connected devices -- from in-home thermostats to industrial systems -- can improve customer experiences, increase revenue, improve efficiency and agility within a business and reduce costs. However, the ever-growing numbers of connected devices also vastly expands the attack surface for bad actors, putting both security and privacy at risk.
A growing industry
Some vendors and analysts have predicted that by 2020, there will be 20 billion or more connected devices worldwide, and that could grow to 80 billion by 2025, with spending on the IoT increasing from $80 billion last year to almost $1.4 trillion by 2021, according to IDC analysts. Attacks against IoT devices also have increased, with growing concerns about the rise of DDoS attacks, like the one in 2016 that brought down the DNS service.
Consumers also are concerned about security, so much so that these concerns are slowing the adoption of IoT, F-Secure wrote in a recent report. (See IoT Device Adoption Hampered by Consumer's Security Concerns.)
DigiCert's report, “State of IoT Security," found that 82% of companies surveyed reported that security was a top concern when implementing IoT, while 78% said privacy was another. That comes as 83% said IoT is important to their businesses today and 92% said it will be important by 2020. Most companies are just getting started; only a third said they had completed implementing an IoT strategy. DigiCert hired ReRez Research surveyed 700 organizations from around the world for the survey.
DigiCert sorted the companies into three tiers -- those having the fewest IoT security problems, those scoring in the middle with their security results and a bottom tier for those having the most difficulties. Those $34 million in losses by some of these companies include everything from financial damages and lost productivity to a hit on their reputations and declining stock prices. DigiCert’s Nelson said the collection of companies surveyed were a "mixed bag" when it comes to security and privacy.
"There are organizations that are prioritizing security because they see and understand the risks of not doing it, and there are other organizations that have made the decision to not prioritize security or privacy," he said, adding that organizations spend money due to pain or opportunity. "Some organizations haven't felt or experienced the pain of dealing with a data breech or having malware embedded on a fleet of their devices and because of that, they are more reluctant to spend the money. Regarding opportunity, I don't see product security as being a strong enough product differentiator to motivate organizations to act."
However, those companies implementing security practices are getting better at it, he said. Security isn't something that just happens; it takes time, experience, the right people and a change in how a company thinks about a product.
"The biggest cause of struggle is lack of executive support to build a robust security program," Nelson said. "Once an organization prioritizes it, they then need to recruit people with the right skill set to solve the problems they have. I've seen organizations transfer a resource from audit or regulatory to run product security. These decisions need to be made carefully because good cybersecurity isn't something that can be learned overnight. People with the right expertise are needed in order to be successful bringing solutions forward."
Key steps companies need to take include encrypting sensitive data, ensuring the integrity of data in transit, scaling security measures, securing over-the-air updates and securing software-based encryption key storage, he said.
— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.