Top practices for shoring up Internet of Things security
Machines and devices are everywhere, connected—and multiplying. These are the “things” of the Internet of Things, and today there are nearly three devices attached to the internet for every human on the planet. By 2025 that ratio will soar to 10 to 1.
For consumers, that means their thermostats and refrigerators can be connected to real-time, sophisticated analytics engines that automatically adjust them to be more efficient and save more money. But what does that mean for businesses?
Well, just as it’s doing for consumers, IoT is helping businesses streamline operations, save money and time with real-time, actionable intelligence, and prevent problems with predictive analytics. But there’s a dark side to IoT. Frankly, it’s the concerning underbelly that exists in all connected technologies: lacking security.
We already see massive DDoS attacks driven by IoT devices. Experts concede that is just the tip of the iceberg. In all, analysts project the global IoT market to exceed the $1 trillion mark in 2022. Today, companies in every industry rely on IoT as part of their business strategy. According to a recent DigiCert survey of 700 organizations, 92 percent of companies expect IoT to be important to their business by 2020.
IoT Isn’t Easy
Among those respondents, 8 in 10 list security as their top IoT concern. The top four concerns enterprises report for IoT are:
Getting IoT Security Wrong Costs Companies Big-Time
Underlying this gold-rush type mentality for IoT is the concern for security. Security and privacy topped the list of concerns for IoT projects, with 82 percent of respondents stating they were somewhat to extremely concerned about security challenges.
As it turns out, organizations’ concern for security is warranted. Enterprises have begun sustaining significant monetary losses stemming from the lack of sound security practices as they move forward with incorporating the Internet of Things (IoT) into their business models. Among companies surveyed that are struggling the most with IoT security, 25 percent reported IoT security-related losses of at least $34 million in the last two years.
Most of these reported losses came in five expensive areas:
- 59 percent – monetary damages
- 59 percent – lost productivity
- 43 percent – legal/compliance penalties
- 40 percent – lost reputation
- 31 percent – stock price fluctuations
The survey results revealed a major divide among companies. Some are doing incredibly well at tackling IoT while others are struggling. Based on this, we divided these enterprises into three categories based on their expertise with IoT security.
- Top-tier companies reporting the fewest problems and the most mastery of IoT security.
- Bottom-tier companies reporting far more problems and more trouble mastering IoT security.
- Middle-tier companies are squarely in between these two extremes in their reported IoT security confidence.
The difference between the top- and bottom-tiers was unmistakable. Companies struggling the most with IoT implementation are much more likely to experience IoT-related security incidents. Every bottom-tier enterprise experienced an IoT-related security incident, versus just 32 percent of the top-tier.
The bottom-tier was also more likely to report problems in these specific areas:
- More than six times as likely to have experienced IoT-based Denial of Service attacks.
- More than six times as likely to have experienced unauthorized access to IoT devices.
- Nearly six times as likely to have experienced IoT-based data breaches.
- 4.5 times as likely to have experienced IoT-based malware or ransomware attacks.
Although the top-tier enterprises experienced some security missteps, an overwhelming majority (almost 80 percent) reported no costs associated with this those missteps.
Most Important Lessons
It’s clear that if you are looking to make IoT an ongoing part of your business, you need to take security seriously and make it a priority and the top-performing enterprises are drilling down on authentication and identity, encryption, and data integrity.
We also asked top-tier companies what security practices they follow as part of their IoT infrastructure. Here’s how they answered:
- Encrypting sensitive data
- Ensuring integrity of data in transit
- Scaling security measures
- Securing over-the-air updates
- Securing software-based encryption key storage
Delving deeper into these answers, we found the five best practices to help companies align their IoT security posture with the top-tier enterprises:
- Review risk: Perform penetration testing to assess the risk of connected devices. Evaluate the risk and build a priority list for addressing primary security concerns, such as authentication and encryption. A strong risk assessment will help assure you do not leave any gaps in your connected security landscape.
- Encrypt everything: As you evaluate use cases for your connected devices, make sure that all data is encrypted at rest and in transit. Make end-to-end encryption a product requirement to ensure this key security feature is implemented in all of your IoT projects.
- Authenticate always: Review all of the connections being made to your device, including devices and users, to ensure authentication schemes only allow trusted connections to your IoT device. Using digital certificates helps to provide seamless authentication with binded identities tied to cryptographic protocols.
- Instill integrity: Account for the basics of device and data integrity to include secure boot every time the device starts up, secure over the air updates, and the use of code signing to ensure the integrity of any code being run on the device.
- Strategize for scale: Make sure that you have a scalable security framework and architecture ready to support your IoT deployments. Plan accordingly and work with third parties that have the scale and expertise to help you reach your goals so that you can focus on your company’s core competency.
If you want your IoT implementation to be successful it’s imperative that you invest and prioritize IoT security. Those who do this are finding success, while those who do not face increasing risk and financial hits. Prioritizing security will help you get the most out of your IoT while protecting against the potential losses caused by security events.