Though IoT was a driving force in the wave of technological change of the 2010s, security has been its greatest adversary. We have seen waves of attacks, both attempted and successful, against IoT devices that often result in networks being brought down in massive denial-of-service attacks.
As we enter the next decade, we need new strategies and behaviors that ensure the next phase of IoT deployment will be stronger, more successful and more secure.
The formula for doing that is simple, but not easy: Make IoT security a strategy, a process and a budget priority.
Make security a strategy, not an afterthought
The IoT industry must transition quickly to a security-as-standard model. What we are experiencing now is the painful result of security being an add-on and not something that is built in.
Security should not be complementary; it must be mandatory for every IoT solution. Businesses and organizations should be able to ask themselves whether or not their IoT platform and system is secure. Knowing, not guessing or hoping, that the answer is a resounding yes.
This isn’t just common sense; it is good business. Without the necessary tools and solutions to secure against threats, IoT solutions aren’t solutions at all. Rather, they are ticking time bombs that could render an organization inoperable. To achieve this, security must be built into IoT deployments from the ground up. Moreover, security must be futureproofed so that protection and updates can be delivered throughout the lifespan of the IoT system.
Consider security as a process, not a product
IoT security is not similar to physical security, such as protecting a house or business from a random robber or two. IoT security is fundamentally different in both scale and scope. Imagine thousands of skilled burglars working around the clock crafting new lockpicks or alarm disablers and sharing each new trick with their fellow criminals for free.
This means security for IoT devices cannot be a one-and-done deal, where the protections that you have when the device is shipped are the protections you have in the foreseeable future.
The days of one-and-done in the field of security are over. Rather, for both IoT providers as well as the businesses and organizations that depend on them, security should be thought of as a service. This Security-as-a-Service approach benefits everyone. It gives organizations dependent on IoT innovations continual vigilance and resilience in the face of ever-changing and innovative attacks. Plus, it gives IoT providers a steady revenue stream so they can invest in the tools, updates and infrastructure investments to keep platforms and operations safe and secure.
Prioritize security in your budget
Prioritizing security leads to the issue of money and budgets. IoT security defines the old adage: pay me now or pay me later.
Businesses are slowly beginning to understand the cost of getting security wrong. Last year the average cost of a cyberattack was $4.6 million. One in ten of those attacks cost businesses over $10 million. Yet in the face of these mounting costs, we’ve yet to see it translate into security budgets adequate to protect against the attacks of today, much less those of tomorrow.
Too often end-customers expect their devices to have security-as-standard without accepting the necessary increase in price to make that possible. And too often, manufacturers expect teams to incorporate security into their development strategies without providing them the necessary increase in budget — whether that be in talent or technology — to do so. This applies for not just the stand-alone business, but also throughout an organization’s increasingly complex and global supply chain.
When thinking about IoT today and in the future, there are a lot of nice to haves. Security is not one of them. We’ve seen how IoT can bring tremendous innovation and benefits to individuals, organizations and societies. But with those benefits come both the risks and the responsibility to keep those systems reliable and secure. To do that, we’re going to need to think, act and invest differently.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.