The Internet of Things (IoT) has gone from a futuristic buzzword to becoming a reality. IoT security has become an industry on to itself.
By 2020, Gartner expects there will be 20 billion IoT “things” in use. These IoT “things” do not include smartphones and PCs. They are everyday devices, such as appliances, cars, and vending machines, that have internet-connectivity for use.
The Gartner report puts data into an ever-increasing number of devices that are beneficial for consumers.
It also creates additional headaches for CIOs and IT professionals. It can be a difficult job for IT leaders because it involves more than managing a closed network and virtual assets. It means managing physical devices and objects that are outside the organization’s immediate control.
IoT generates a significant amount of highly personal consumer data. The generation of increasing amounts of data creates layers of security concerns, especially in light of new privacy legislation. The EU General Data Protection Regulation (GDPR) and California’s new Consumer Privacy Act (CCPA) are two such examples.
Our security solutions keeping up with the rise of IoT? A Deloitte survey of organizational confidence in IoT security reveals that only 18 percent of the 500 C-level Executives that oversee cybersecurity at significant companies say they are very confident that the “things’ in the Internet of Things are secure. That is significantly less than the 31 percent that reports they are uncertain or not confident at all in IoT security.
Massive Amounts Of Personally-Identifiable Data
The preponderance of IoT devices in use will make it even more challenging to protect the enormous amount of personally-identifiable data that is gathered. All of these combined devices means more significant attention to the gathering, storage, and security of data.
Enter PKI. PKI stands for Public Key Infrastructure. A public-facing key is mapped to a private key known to the user. PKI has a certificate authority to issue and sign digital certificates, which can be revoked. This authority verifies the identity of those seeking to store digital certificates. Combined with TLS (Transport Layer Security), encrypted communication is enabled.
Managing IoT Security And Privacy Risks In Devices
The National Institute of Standards and Technology (NIST) identified three critical risks within IoT devices that show the difference between conventional IT:
- IoT devices interact fundamentally different than traditional IT devices in the hands of consumers
- IoT devices cannot be monitored or managed the same way because they are outside your IT staff’s physical control
- Availability, efficient, and effectiveness of IT controls are different. Additional restrictions and controls have to be developed and managed, along with a different approach to risk mitigation.
These key risks boil down to three concepts that IoT demands:
- Protecting device security
- Protecting data security
- Protecting user privacy
Protecting IoT Security in Devices
When devices are available for public use, it’s easy for cybercriminals to get their hands on IoT devices. The key is to prevent them from using these devices to conduct attacks including things like DDoS or intercepting network traffic
Protecting Data Security
Except for those devices that do not need permissions, it is critical to safeguard the confidentiality and access to PII (Personally Identifiable Information) that is collected, stored, or processed by IoT devices. In addition to best practices, this may also be subjected to strict compliance rules depending on the type of transaction taking place.
Protecting User Privacy
We’ve seen many high-profile data scandals over the past couple of years. 2017 say, Marissa Meyer, CEO of Yahoo, forced to resign after it was made public that the company provided US intelligence agencies access to millions of user’s emails. Just this year, two top Facebook employees quite following due to the company’s plans to combine Facebook, Instagram, and Whatsapp jointly.
As IoT becomes even more embedded in devices, privacy will become a more significant concern for users.
Operational Security As Part Of Your DNA
To be effective, the cybersecurity of IoT devices has to central to everything you do.
“Security needs to become embedded into the DNA of operational programs to enable organizations to have great products and have peace of mind,” said Sean Peasley, IoT Security Leader in Cyber Risk Services at Deloitte & Touche LLP.
Peasley said organizations need to consider the potential threats as hazards and look closely at these as priority items.
Defending data security starts with developing products that employ security-by-design to manage risk. This means implementing cybersecurity practices by default during the design and production of IoT products.
Top 10 IoT Security Risks
- Lack of security and privacy policies and procedures
- Lack of governance to protect data
- Lack of secure product and ecosystem design
- Lack of awareness and training for engineers and designers
- Lack of product security and privacy resources
- Lack of monitoring of devices (and systems) to detect attacks/events
- Lack of implementation security and risk management
- Lack of security visibility in products
- Lack of identification and mitigating of product risks
- Lack of experience with incident response
Managing these risks takes a top-down approach to cybersecurity with the budget to match. Security is not something delegating to the IT team. It needs to be incorporated into every phase of the design process from senior leadership on down.
Security risks are becoming known to the public.
With more and more security risks becoming known to the public, employees are starting to make employment decisions based on the data security practices of their employers. As Ray Walsh, Digital Privacy Expert at ProPrivacy.com explains, “Tech employees understand that if something goes wrong – and the firm they work for suffers a data breach – they could end up with an undesirable black mark next to their name, or worse, the potential for liability.”
Walsh continues, “Employees often leave with an understanding of fundamental business practices, trade secrets, and with a familiarity of intellectual property. There is also a danger that firms may not be able to fill the vacuum created by those resignations (with equally able talent). On the other hand, businesses that can demonstrate a genuine desire to protect consumer privacy are likely to find themselves increasingly attractive to both consumers and tech sector employees.”
This focus on security doesn’t end when the design is complete. It must continue throughout the product life cycle.
32,7 Million IoT Attacks
Attacks on IoT security are not just theoretical. More than 32.7 million attacks on IoT devices were detected in 2018. That represents an increase of more than 215% from the previous year. Too many devices have little or no security controls.
As consumer adoption of IoT devices continues to grow, concerns over privacy and security will escalate as well. When a network is in-house and within the control of CISOs and their IT teams, strict adherence to data security and protection can take place. When devices are in the hands of consumers, it is harder to manage.
One recent study showed that more than 40 percent of smart homes have at least one IoT device that is vulnerable to remote attacks. Outdated software, unapplied patches, and weak credentials make it possible for cybercriminals to exploit weakness.
“The concern over security and privacy is more prevalent than ever before,” said Michael Chertoff, former U.S. Secretary of Homeland Security.