IoT: the next cybersecurity frontline

Billions of Internet of Things (IoT) devices will change our lives and the way business and society runs. Security is a key market enabler and is paramount in providing trust in IoT's revolutionary capabilities. It is no surprise, therefore, that IoT security is at the top of the global agenda this year as designers, vendors and governments strive to ensure we all safely reap its benefits.

The IoT market is set for explosive growth as business looks to exploit valuable sensor data to better understand customers and drive new revenue streams. But to profit from these exciting opportunities the entire infrastructure must be as secure as possible.

McKinsey estimates that if the industry and policy makers can reach an agreement on interoperability, security, privacy and standards, connecting the physical and digital worlds could generate up to $11 trillion a year in economic value by 2025. This is equivalent to around 11 percent of the world economy.

Organizations that collect IoT data must protect it from unauthorized access and be prepared to deal with new categories of risk that IoT may introduce, McKinsey points out. “Extending information technology (IT) to new devices creates many more opportunities for potential breaches, which must be managed,” it says.

Cybersecurity will remain at the epicentre of IoT and digital business as technology moves forward, and it will help to dictate the success level of projects. “Organizations will learn to live with acceptable levels of digital risk as business units innovate to discover what security they need and what they can afford,” explains Paul Proctor, vice president at Gartner. “Digital ethics, analytics and a people-centric focus will be as important as technical controls.”

What is coming down the IoT security pipeline?

Experts have been issuing warnings about IoT vulnerabilities for some time now, but this year we will see governments, manufacturers and vendors getting serious about IoT security.

The US Federal Trade Commission has highlighted the fact that, unlike hardware and software vendors, some IoT developers coming into the industry have not had years of experience in securing their products and services. In addition, many connected devices are very small, low-cost and have limited processing power. This can make keeping their security up-to-date a challenge.

The FTC is advocating IoT companies adopt a ‘security by design’ approach and baking security in from the very beginning. It proposes carrying out security risk assessments as part of the design process, providing encryption in some cases and monitoring devices throughout their lifecycle, to identify and fix any vulnerabilities. It has even issued a public design challenge to develop a tool that capable of addressing security vulnerabilities caused by out-of-date software in IoT devices.

One of the big sticking points with IoT security is that building security into devices increases the cost of manufacturing. Some believe that governments should work together to regulate IoT security, while others believe it should be self-regulating. There are also several IoT security bodies in the market that are developing proposed standards.

The IoT Alliance, for example, maintains that the heart of IoT security lies in protecting all devices at the endpoint, network, cloud and application layers. It supports using threat analytics to study the ecosystem and designing products with a built-in, always-on security.

ABI Research forecasts that the IoT security challenge will create major opportunities for IoT Managed Security Service Providers (MSSP), as there will be not be a single technology that addresses all IoT security challenges. “The fact that true end-to-end IoT security is near impossible for a single vendor to achieve is a primary reason for the rise in vendors offering managed security services to plug security gaps,” it says.

How can you get your security strategy ready for IoT?

IoT is already used in real-world applications, from smart homes to connected cars. But its all-encompassing nature means there is no quick and simple solution to security. With this in mind how do you start preparing an IoT security strategy for your organization? The answer is to take a multifaceted approach. This should include:

1.       Proactively implement policies that will cut your chances of a breach. Take an audit of the devices and data you need to keep safe and embed security in all your processes and procedures.

2.       Deploy a multi-layered strategy that starts at your network gateway and secures both your legacy applications and the cloud.

3.       Consider encryption for data stored on devices and in transit over the network.

4.       Use authorization tools to accurately take care of access management.

5.       IoT connects a host of systems. If a breach occurs your entire network could be at risk. Network segmentation ensures that connected devices don’t impact the overall security of the network if a breach occurs.

6.       Put a DDoS mitigation strategy in place by deploying complementary DDOS protection on top of your current security technologies.

IoT has the potential to change the world as we know it, but like any pioneers, early adopters will have risks to contend with. Understanding where vulnerabilities may lie and how serious a threat will be a challenge. To stay ahead of the curve, organizations are best advised to put IoT security strategies in place and be prepared to update them as these devices make their way onto their networks.

In our ultra-connected world, you need to protect yourself from increasingly complex and sophisticated cyber threats. Read more here

Stewart Baines
Stewart Baines

I've been writing about technology for nearly 20 years, including editing industry magazines Connect and Communications International. In 2002 I co-founded Futurity Media with Anthony Plewes. My focus in Futurity Media is in emerging technologies, social media and future gazing. As a graduate of philosophy & science, I have studied futurology & foresight to the post-grad level.