New data tells us that stakeholders in the internet of things are making progress when it comes to securing IoT infrastructure and the data it produces, but there is still a long way to go. In order to assess the current state of affairs, Gemalto recently surveyed 950 IT and business decision-makers with awareness of IoT in their organization. Some of the results were encouraging, while others were less so.
Security is clearly an emerging priority. Companies are now devoting 13% of their IoT budgets to security, up from 11% last year. Ninety percent said they believe security is a major consideration for their customers and 97% believe that a strong approach to IoT security is a key competitive differentiator.
Three primary security tools emerged as the chief methods IoT vendors are relying on. One is encryption, which remains as an optimal way to protect any type of data in motion and at rest. The use of encryption rose from 67% last year to 71%, which is an impressive figure, especially when you compare it to the security landscape as a whole. As part of tracking publically disclosed breaches, Gemalto has found that encryption was only in place in 4% of the 944 worldwide breach incidents that took place in the first half of 2018.
More organizations also started protecting their devices and other technologies with password management (up from 63% to 66%). Poor password management has already been a major storyline in the world of IoT security. CCTV cameras, DVR boxes and routers with default passwords notoriously led to the Mirai botnet and others that have followed. They operate by gaining access to devices using the default password and then infecting them with software to launch distributed denial-of-service (DDoS) attacks.
Less prominent, but still very promising, is the increased use of blockchain to protect IoT networks. Blockchain, in its simplest form, is an immutable distributed ledger which provides cryptographic assurance of its data and transactions. There is a natural fit for this technology with IoT — a distributed collection of devices that send and receive data. Blockchain can be the enabling platform used to establish trust and provide security and privacy at scale, resistant to single points of failure. In the study by Gemalto, the number of respondents using it rose by a ten percent — from 9% to 19%. Twenty-three percent said they would ideally use the blockchain for the purpose of authentication, while 91% of those who don’t use the technology would consider using it in the future.
Also somewhat of an interesting development is the number of people who believe governments should be doing more to regulate IoT security. Nearly all (96%) believe there should be laws in place, while 80% go so far as to call on governments around the world to provide more robust guidelines for the industry. Security ownership is a key theme here — 59% said they think regulations should clarify who is responsible for IoT security.
Not so encouraging
In spite of ramped-up security efforts, less than half of companies (48%) are able to detect if any of their IoT devices have been breached. This is an obvious concern, given that the rising number of connected devices represents a growing attack surface for hackers to exploit, not to mention the fact that an undetected data breach can cause serious damage.
Data privacy is also an issue. Even as the public has grown more aware of data privacy issues, 38% of respondents to the survey said privacy presents a challenge to their organization. Thirty-four percent said they experience challenges associated with collecting large amounts of data from connected devices. Only 59% said they encrypt all data in their organization.
Like most of us, respondents to the survey were also consumers of IoT. Sixty-two percent said they believe that the security of their IoT devices needs improving, while 54% said they have privacy concerns about their IoT use.
Where does that leave us?
Ultimately, it’s clear that there is a growing appreciation for the importance of security to IoT. In the past, we have advocated for a security-by-design approach — in other words, building security mechanisms into IoT technologies as a foundational piece of their development. According to this survey, the number of organizations taking such an approach rose from 50 to 57% this year. This is one of the most encouraging signs of all.
With that said, there is almost universal acknowledgment that the government policy and mandates would accelerate the adoption of proper security practices in IoT. If the recent privacy/data scandals are any indication, the private sector may need a nudge to avert serious damage from a major privacy or DDoS disaster.
In the meantime, we still have work to do. The number of connected devices is on track to hit 20 billion by 2023. Anyone who is a part of this ecosystem, whether you’re manufacturing devices, writing software or crunching IoT data, needs to continue improving data protection, breach detection and mitigation capabilities.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.