by Jason Hart
More than half of companies still can’t detect if any of their IoT devices have been breached, and a majority are looking to the government for help. Those are just two of the more striking takeaways from a new IoT security survey.
Gemalto surveyed 950 IT and business decision makers with knowledge of IoT usage in their organization. The results provided an updated snapshot of the challenges the industry is up against, but there were also some reassuring signs as well as surprises.
To wit: An overwhelming number of people believe governments should be doing more to regulate IoT security. Ninety-six percent of respondents believe there should be laws in place, while 80 percent also say governments around the world should provide more robust guidelines for the industry. Fifty-nine percent said they think those guidelines should clarify who is responsible for IoT security.
As things currently stand, 52 percent of companies still can’t detect if any of their IoT devices have been breached. This is a major concern, given that a projected 20 billion connected devices will be online by 2023, constituting a giant and growing attack surface for hackers to exploit. An undetected data breach can cause serious damage not only to companies and consumer privacy but also to downstream systems that may rely on hacked devices and the data they produce.
Data privacy is understandably one of the driving concerns behind the support for regulation, and the survey data supports the notion that those concerns are valid. Thirty-eight percent of survey respondents said IoT data privacy poses a challenge to their organization. The core of the problem often relates to the sheer volume of data that connected devices can produce. Thirty-four percent said they experience challenges associated with collecting large amounts of IoT data. When it came to their consumption of IoT, 62 percent said they believe that the security of their IoT devices needs improving, while 54 percent said they have privacy concerns about their own IoT use. Many (50 percent) were specifically concerned about the lack of control over their personal data.
Among the more reassuring signs is the rise of encryption in the IoT space. Use of the technology rose from 67 percent last year to 71 percent. This is significant, especially compared to business in general. According to Gemalto’s Breach Level Index, encryption was only in place to help limit the damage in four percent of the 944 breach incidents that took place in the first half of 2018. There is still, however, much room for improvement; only 59 percent of survey respondents said they encrypt all data in their organization. This is crucial for various players in the IoT ecosystem, from device manufacturers to those writing software or crunching IoT data.
Another very positive development is that companies are devoting more of their IoT budgets to security. Security accounts for 13 percent of IoT budgets, up from 11 percent a year ago. Ninety-seven percent said that a strong approach to IoT security is a key competitive differentiator, while 90 percent said they believe security is a major consideration for their customers.
A slightly higher percentage of organizations started protecting their devices and other technologies with passwords (up from 63 to 66 percent). Lack of password protection has already been a major issue in the world of IoT security. Malicious hackers have demonstrated that they can deploy botnets to take over unsecured devices and use them to launch distributed denial-of-service attacks. This happened most famously when the Mirai botnet took over thousands of unprotected DVR boxes. This illustrated that not only should connected devices be protected by passwords, but also that end users need to update those passwords from their factory defaults.
Blockchain remains a fascinating alternative approach to securing IoT. The survey revealed rising use of the technology to protect IoT networks where it can be used to authenticate devices more effectively. The number of respondents using blockchain more than doubled, from 9 to 19 percent. Twenty-three percent said they want to use the blockchain for this purpose, while 91 percent of those who don’t use the technology would consider it.
Overall, security is emerging as perhaps the most critical factor for the success of IoT. The best way for device manufacturers and other stakeholders is to take a security-by-design approach. This means building security mechanisms into IoT devices as a foundational piece of their development. The good news is that a growing majority of organizations (from 50 percent in 2017 to 57 percent in 2018) are now taking such an approach.
It would seem to be the federal government’s turn to start to play catch up. Getting to the next phase of adoption will require a joint effort between government and the entire industry. What this survey data tells us is that the industry as a whole is taking the challenge very seriously and is making meaningful progress toward enabling all of us to realize the full benefits of the IoT.
Jason Hart is the CTO of data protection at Gemalto.