One of the hottest topics in IT these days is the Internet of Things (IoT). This is partly hype for sure, but IoT is nevertheless something all IT and security executives should be learning about, if not actually focusing on as a corporate strategy.
The connection of all sorts of devices, products, assets, sensors and other “things” via the Internet offers all kinds of business opportunities, not the least of which are enhanced quality of products, improved customer service and the availability of an enormous amount of potentially valuable information.
But IoT also presents some daunting security challenges for organizations. If left unaddressed, the IoT-related security threats could undermine efforts to create a more connected world. More important, they could jeopardize corporate data and individuals’ safety and privacy.
Recent industry research provides a good look at the current state of IoT security efforts and needs.
One report, by Gartner Inc., shows that companies are investing more in security related to IoT. The study, released in April 2016, says worldwide IoT security spending will reach $348 million this year, a 24% increase from 2015 spending of $281.5 million. Spending on IoT security is expected to reach $547 million in 2018.
Although overall spending will initially be moderate, the firm says, it predicts that IoT security spending will rise at a faster rate after 2020, as improved skills, organizational change and more scalable service options improve execution. Endpoint security spending will be dominated by connected cars, as well as complex machines and vehicles such as heavy trucks, commercial aircraft and farming and construction equipment.
The increased dedication to security is good, because the research firm predicts that, by 2020, more than 25% of identified attacks in enterprises will involve IoT. Still, it might not be sufficient because IoT will account for less than 10% of IT security budgets.
Security vendors “will be challenged to provide usable IoT security features because of the limited assigned budgets for IoT and the decentralized approach to early IoT implementations in organizations,” the report says. “Vendors will focus too much on spotting vulnerabilities and exploits, rather than segmentation and other long-term means that better protect IoT.”
Efforts to provide secure IoT services are expected to focus increasingly on the management, analytics and provisioning of devices and their data, according to Ruggero Contu, research director at Gartner. IoT business scenarios will require a delivery mechanism that can also grow and keep pace with requirements in monitoring, detection, access control and other security needs, he says.
Another study, by consulting and advisory services firm Strategy Analytics, found that 70% of IT departments spend less than 20% of their time securing the corporate network and data assets.
The February 2016 report, “IoT 2016 Security Threats and Trends: Perilous, Porous and Pernicious,” is based on an independent survey of more than 600 companies worldwide. The results showed 56% of respondents acknowledged that their organizations had, or might have had, a successful breach in the last 12 months, compared with 39% that said their networks did not suffer any security breaches.
“The survey results are a huge wake-up call,” noted Laura DiDio, director of IoT systems research and consulting at Strategy Analytics and author of the report. “IoT environments exponentially increase the size of the attack vector, since companies have so many more devices, end points and applications to secure.”
The survey results also showed that 44% of organizations that were hacked couldn’t determine the source or type of security attack or the duration of the breach. Other key findings were that only 7% of IT departments devote more than half of their time to security; and 56% of respondents said end-user carelessness is the biggest security threat to their IoT networks. This was followed by 42% who cited malware as the biggest threat.
IoT will likely be among the top cyber security priorities in coming years. The Computer Emergency Readiness Team (CERT) Division of the Software Engineering Institute at Carnegie Mellon University recently issued a study identifying 10 at-risk emerging technologies, and a few are related to IoT.
In the report, “2016 Emerging Technology Domains Risk Survey,” researchers looked at the security of a range of technology areas being developed. One is the connected home, which involves automation of home devices, appliances and computers that integrate with a centralized service for consumer use and control.
Another area is smart sensors, a key technology of the IoT, which provide information about or control of a physical environment in response to certain stimuli.
“In today's increasingly interconnected world, the information security community must be prepared to address vulnerabilities that may arise from new technologies,” Christopher King, vulnerability analyst at the CERT division, notes in a blog post about the report. “Understanding trends in emerging technologies can help information security professionals, leaders of organizations, and others interested in information security identify areas for further study.”