Enterprise IoT devices underestimated and under-secured
Security and the Internet of Things (IoT) is an ongoing discussion, and new research highlights the perception of consumers and IT professionals varies greatly. Despite this, it's widely agreed that security and privacy needs to be a key focus of users and manufacturers.
According to the ISACA’s 2015 IT Risk/Reward Barometer, 64% of consumers are confident they can control the security on IoT devices they own.
However, only 22% of IT and cyber security professionals feel this same confidence about controlling who has access to information collected by IoT devices in their homes.
The global average estimated number of IoT devices in the home was six. Smart TVs topped the list of most wanted connected device to buy in the next 12 months, with wearable devices, such as smart watches and fitness trackers, also highly ranked.
The IoT for business-to-business use alone is expected to expand from 1.2 billion devices in 2015 to 5.4 billion connected devices worldwide by 2020, according to one estimate.
The ISACA survey highlights that a significant number of respondents believe IoT is underestimated and under-secured, and IT and cybersecurity professionals recognise IoT often flies below the radar and presents an invisible risk.
In fact, nearly half believe their IT department is not aware of all of their organisation’s connected devices - for instance, connected thermostats, TVs, fire alarms, and cars.
Furthermore, 73% estimate the likelihood of an organisation being hacked through an IoT device is medium or high, and 63% think the increasing use of IoT devices in the workplace has decreased employee privacy.
“In the hidden Internet of Things, it is not just connectivity that is invisible. What is also invisible are the countless entry points that cyber attackers can use to access personal information and corporate data,” says Christos Dimitriadis, international president of ISACA and group director of Information Security for INTRALOT.
“The rapid spread of connected devices is outpacing an organisation’s ability to manage it and to safeguard company and employee data,” he says.
However, the business risk of not embracing the IoT and falling behind competitors may well outweigh any potential cost of a cyberattack, although organisations need to manage the risk to achieve the most benefit, Dimitriadis says.
According to global cyber security and IT professionals surveyed, device manufacturers are falling short on this front.
Of those surveyed, 72% say they do not believe that manufacturers are implementing sufficient security measures in IoT devices.
A nearly equal proportion (73%) don’t think current security standards sufficiently address the IoT and believe that updates and/or new standards are needed.
Privacy is also an issue, with 84% saying device makers don’t make consumers sufficiently aware of the type of information the devices can collect.
ISACA’s consumer research suggests that consumers are likely to value businesses that can demonstrate their expertise in and commitment to cyber security best practices.
Globally, the majority of consumers say it is important that data security professionals hold a cyber security certification if they work at organisations with access to the consumers’ personal information.
“Device manufacturers should lead the charge on adopting an industry-wide security standard that addresses IoT security, and put in place rigorous security governance and professional development for their cyber security employees.
“ISACA’s research shows a direct connection between positive customer sentiment and companies that can demonstrate security credentials,” says Robert Clyde, international vice president of ISACA and managing director of Clyde Consulting LLC.
The ISACA has highlighted some ways enterprises can safely embrace IoT devices in the workplace to keep competitive advantage without becoming susceptible to breaches:
- Ensure all workplace devices owned by organisation are updated regularly with security upgrades
- Require all devices be wirelessly connected through the workplace guest network, rather than internal network
- Provide cyber security training for all employees to demonstrate their awareness of best practices of cyber security and the different types of cyberattacks
When it comes to manufacturers of IoT devices, ISACA says there are various best practices to abide by:
- Require all developers who build software to have appropriate performance-based cyber security certification, to ensure safe coding practices are being followed
- Insist all social media sharing be opt-in
- Encrypt all sensitive information, especially when connecting to Bluetooth-enabled devices
- Build IoT devices that can be automatically updated with new security upgrades