The struggle to secure the IoT is a serious and difficult one, according to an enterprise IoT security study conducted by security technology company DigiCert. The firm found that a quarter of companies having trouble in this area lost at least $34 million during the past two years. But there is hope: Companies that pay attention and make the investment can create secure IoT environments.
Use of the IoT is growing. Eighty-three percent of companies said it is extremely important to them now and 92% said it will be extremely important within the next two years. The survey, which was conducted by ReRez in September, covered 700 organizations in the United States, the U.K., Germany France and Japan.
“Enterprises today fully grasp the reality that the Internet of Things is upon us and will continue to revolutionize the way we live, work and recreate,” said Mike Nelson, the Vice President of IoT Security at DigiCert in a press release.
“Securing IoT devices is still a top priority that many enterprises are struggling to manage; however, integrating security at the beginning, and all the way through IoT implementations, is vital to mitigating rising attacks, which can be expected to continue. Due diligence when it comes to authentication, encryption and integrity of IoT devices and systems can help enterprises reliably and safely embrace IoT.”
The top five cost centers related to IoT security during the past five years are monetary damages, lost productivity, legal/compliance penalties, lost reputation and stock price.
Enterprise IoT Security Study
Researchers divided enterprises into three tiers, based on their IoT security preparedness. Bottom tier companies were:
- More than six times as likely to have experienced IoT-based Denial of Service attacks.
- More than six times as likely to have experienced Unauthorized Access to IoT Devices.
- Nearly six times as likely to have experienced IoT-based Data Breaches.
- 4.5 times as likely to have experienced IoT-based Malware or Ransomware attacks.
Almost 80 percent of top tier enterprises associated no cost with their missteps. The reasons were good habits. This includes encrypting sensitive data, ensuring integrity of data in transit, scaling security measures, securing over-the-air updates and securing software-based encryption key storage.
The enterprise IoT security study produced five best practices:
- Review risk: Perform penetration testing to assess the risk of connected devices. Evaluate the risk and build a priority list for addressing primary security concerns, such as authentication and encryption. A strong risk assessment will help assure you do not leave any gaps in your connected security landscape.
- Encrypt everything: As you evaluate use cases for your connected devices, make sure that all data is encrypted at rest and in transit. Make end-to-end encryption a product requirement to ensure this key security feature is implemented in all of your IoT projects.
- Authenticate always: Review all of the connections being made to your device, including devices and users, to ensure authentication schemes only allow trusted connections to your IoT device. Using digital certificates helps to provide seamless authentication with binded identities that are tied to cryptographic protocols.
- Instill integrity: Account for the basics of device and data integrity to include secure boot every time the device starts up, secure over the air updates, and the use of code signing to ensure the integrity of any code being run on the device.
- Strategize for scale: Make sure that you have a scalable security framework and architecture ready to support your IoT deployments. Plan accordingly and work with third parties that have the scale and expertise to help you reach your goals so that you can focus on your company’s core competency.
There is at least one potential source of help on the way. Blockchain, Parks Associates said last month, could increase security by eliminating centralized cloud-based servers that are the prime target of data thieves.