The Internet of Things represents one of the greatest technology-driven opportunities organisations will grapple with over the next decade. It also represents one of the greatest sources of potential digital disruption to your organisation and an enormous ratcheting up of the security headaches associated with any data-driven business.
The number of IoT devices deployed is expected to rise from 13.1 billion in 2015 to 28.1 billion in 2020, according to analyst house IDC – and we know that many of these deployments are happening in a piecemeal, ad-hoc way. Large enterprises have a range of IoT projects in motion but there is often little coordination between them and with that, a lack of analysis of the security implications these projects bring.
An insight into the scale of the problem was provided by a Hewlett Packard Enterprise Security Research, 2015 report which evaluated vulnerabilities in a range of consumer devices from televisions, webcams, home thermostats and remote power outlets to door locks, home alarms, scales and garage door openers. All the devices used mobile networks and most were linked to cloud services.
The results were, at the least, concerning. Some 80 percent failed to demand adequate password protection, 70 percent allowed hackers to identify user accounts and 70 percent did not encrypt data on the web or local network.
For business technology and security professionals there can be no comfort in suggesting that these findings relate to consumer devices and that enterprise systems will be more secure. Rather the findings are indicative of a general confusion around IoT and security. Few, if any, organisations wilfully subject their customers to risk and, as a result, themselves to potential financial and reputational damage. Insecure products and services rolled out to customers are likely to be a sign that enterprise use of IoT falls short on security also.
Locating the challenges
An Economist Intelligence Unit report, Securing the internet of things: The conversation you need to have with your CEO, produced in conjunction with Hewlett Packard Enterprise, locates some of the problems and suggests a series of steps to get a handle on the issues.
Some of the problems are inevitable with new technologies that open the way for fundamental business transformation: Although embedded systems have been around for many decades in industrial control systems, the Internet of Things is connecting our world in ways that were inconceivable a decade ago – and is found everywhere from lightbulbs to airplane engines to hospitals and smart cars, yet it is still an immature technology.
Not only are many enterprise deployments made piecemeal but so is the security surrounding them, which often involves proprietary or conflicting standards.
Picking a way through this minefield is made more difficult because, as the EIU argues, ‘data security continues to be a low priority for the C-suite and board of directors.’
For business technology leaders the challenge is to ensure the C-suite grasp both the scale of the opportunities and the potential risks. If the combination of IoT and analytics offers organisations the chance to leap from linear growth to exponential growth, the deployment of IoT also represents a potentially exponential increase in vulnerability. Each device becomes a potential entry point for cyber criminals. There are four key technology-determined components of the new threat:
- The sheer volume of data that is created, collected, analysed and stored by IoT devices.
- The fact that most enterprises have little idea of the number of IoT devices in their environment, let alone how to secure them.
- The problem that most IoT devices operate outside traditional enterprise technology security operations, including firewalls and threat and intrusion detection systems.
- The inherent design constraints of low-powered IoT processors restrict the security technology and protocols that can be embedded in them or wrapped around them.
These issues are compounded, according to the EIU, by more established concerns around technology security, which begin with the real difficulties enterprise IT operations have currently in securing their existing applications and operations.
These are compounded by the general speed of technological innovation – not just around IoT – and by very real budget constraints. Organisations have long realised that they cannot simply throw ever larger amounts of money at security – though the speed with which threats evolve raises constant pressure for more investment.
You also have to factor in significant security skills shortages and the pressure on business units to rapidly push out IoT enabled products and services to gain competitive advantage, without considering how to deploy them securely.
Secure IoT will mean many organisations have to rethink how they create secure code and hardware, putting security at the heart of the products they develop, and ensuring the privacy of the data they collect.
These are not typically areas of expertise in vertical sectors that are most rapidly embracing IoT technology, such as car manufacturing and retail, which means enterprises trying to exploit the potential of IoT will have to seek partners to both deploy IoT solutions effectively and to deploy them securely.
Steps to IoT security
CIOs, IT directors and business technology leaders will not win the understanding of the board by simply outlining the problems faced in delivering IoT securely. They have to champion the business benefits of IoT and analytics and propose solutions to security challenges.
The Economist Intelligence Unit suggests a series of basic steps, beginning with revisiting or creating from scratch a comprehensive digital security strategy that has the active support of the board. Simply adding a few lines about IoT to a policy gathering dust on an office shelf or in the archive folder of your email won’t do.
This should be followed by a comprehensive audit of existing and future potential risks with IoT initiatives. IoT devices, network infrastructure and all mobile, web and cloud touchpoints need to be covered with risks also identified by regulatory, legal and brand exposure.
A more difficult task is embedding security into IoT devices and processes from their inception. Retrofitting security into IoT projects is challenging and expensive and may not be effective. Security needs to be instilled into these projects now.
This can’t be left to your security team or the wider IT department. IoT is not an IT project. It extends from product design through the supply chain to production and lifecycle management and beyond. Staff across the business must play an active part in keeping IoT secure.
Last, but not least, IoT is only as secure as the weakest connection. Every organisation has to ensure its parts operate to the same rigorous security standards as they have adopted internally.
Get these steps right and IoT will transform not only your business but your IT department too.
This article is brought to you in association with The Business Value Exchange