Concerns about security continue to hinder the adoption of IoT devices. Enterprise customers indeed are interested in buying more IoT devices, but only if vendors can provide better security for them.
Bain & Company conducted research into the attitudes of enterprise buyers about cybersecurity and the internet of things, and we found that executives would buy, on average, 70% more IoT devices for their systems if cybersecurity concerns were addressed, compared with what they would buy if the status quo remains. Additionally, 93% of the executives we surveyed said they would pay an average of 22% more for devices with better security. Bain estimates that improving security for these devices could grow the IoT cybersecurity market by $9 billion to $11 billion in 2020.
For IoT device vendors — companies that make IoT devices as well as those that provide related solutions — the message is clear: Improve security to gain a competitive edge and expand your market.
Most executives we surveyed (60%) said they are very concerned about the risks IoT devices pose to their companies — not surprising, given the damage that an IoT security breach can cause to operations, revenue and safety. When poorly protected, IoT devices can allow access to enterprise systems, resulting in large data breaches. For example, in January 2018, a Mirai malware variant called Okiru targeted ARC processors embedded in billions of IoT products.
Executives who manage security say they want technologies that are highly effective, easy to integrate and flexible to deploy. Companies take a range of approaches to meet their security needs based on their capabilities and the availability of marketplace mechanisms from vendors. Only about a third of IoT cybersecurity systems used today are from IoT device vendors, indicating that vendors either are not offering holistic, high-quality technologies that meet consumer needs or are not promoting them well enough. Our research found that companies with the most advanced cybersecurity capabilities rely more on internally developed security mechanisms, not only because they may have more complex needs, but also because they are more likely to have the resources to develop their own technologies. As might be expected, companies with ad-hoc security capabilities have the most gaps across all IoT layers that we tested, including access interface, applications, data, hardware and operating system, network and operations.
We also looked at how companies deploy technologies by layer of security, and found ample opportunity for IoT device vendors at every layer of the stack. Our survey shows that the access interface layer has the greatest level of protection, whether internally developed or provided by a manufacturer or third party. Other layers of the stack are protected by more internal systems — or, in some cases, none at all.
IoT device vendors and ecosystem players that move quickly to improve the security around IoT devices are likely to reap rewards, both from their ability to earn a premium and from an expanded market.
First, manufacturers need to understand how customers are using their devices. Refreshing their understanding of customer use cases every 12 to 18 months will allow them to stay on top of evolving security requirements and identify unmet needs. Ascertaining the average cybersecurity maturity level of their customers will help manufacturers invest in the appropriate out-of-the-box and add-on systems.
Second, manufacturers should provide cybersecurity capabilities on the device and, when possible, partner with trusted cybersecurity vendors to offer additional systems. Engineering teams should embed secure development practices into the software and hardware components of the device, and provide inherent technologies for the access interface, apps, data and device layers.
Third, manufacturers also need to meet quality assurance thresholds and be able to certify that their IoT devices are free from known vulnerabilities. This would mitigate a major pain point for customers, who sometimes install new devices without realizing they contain vulnerabilities. Deploying a more methodical process to identify and remove vulnerabilities across layers, or engaging third-party vulnerability scanning and penetration test firms, can help manufacturers meet this bar.
Finally, manufacturers can fulfill their obligations during the warranty period by continuously testing for new vulnerabilities and by providing software and firmware updates, as well as feature and functionality upgrades for out-of-the-box and aftermarket systems. Delivering updates to firmware, operating systems and applications in response to newly discovered security vulnerabilities should remain a top priority throughout the warranty period.
These four steps are a start, though by no means all it will take to begin addressing the security concerns that are holding back IoT device adoption. While growth in IoT markets seems destined to continue its inexorable march, many enterprise customers will continue to move cautiously until they can gain some reasonable assurance of security — not only of their data, but also of the operations that increasingly rely on devices, sensors and IoT.
This article was co-written by Ann Bosche, a partner with Bain’s Global Technology practice, and Frank Ford, a partner with Bain’s IT practice. Ann is based in San Francisco and Frank is based in London.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.