IoT security is not IT security

Internet of Things (IoT) holds great promise for improving our homes, cities, environment, transport and industry. But as malicious actors increasingly see IoT as a weak link to be exploited, enterprises will need to be vigilant. The first step is to recognize that IoT security is not the same as IT security.

The democratization of IoT solutions and services is helping deliver new use cases and new applications worldwide. Connected devices and objects continue to revolutionize traditional practices, and the growth shows no sign of slowing. IoT market size is forecast to be worth over $2 trillion by 2027, and by 2025, 75% of 56 billion connected devices worldwide will be connected to an IoT platform. Healthcare, financial services and education are among the data-sensitive industries expected to see the sharpest rise in IoT spending.

However, more connected devices and objects also means more points of attack for malicious actors. The SonicWall 2021 Global Cyberthreat Report reported 56.9 million IoT malware attacks in 2020, up from 34.3 million in 2019 – an increase of 66%. October 2020 alone saw 10.8 million attacks, more than the total number of IoT malware attacks in 2017. The problem seems to be worsening: Kaspersky reports that overall IoT cyberattacks increased in 2021, with 1.51 billion IoT breaches between January and June.

Industrial operational technology (OT) systems are also now being targeted. In Florida earlier this year, hackers attempted to alter the level of sodium hydroxide in a municipal water treatment plant, which could have poisoned up to 15,000 residents. The attacker achieved entry through an IoT-enabled remote access system that employees regularly use.

Enterprise and consumer tech are both at risk

Reports from security specialists have found that in the aftermath of COVID-19, IoT vulnerabilities have increased. This has partly been because more devices have been used for more extended periods in household environments. Many of these consumer-level devices, from smart fridges to connected doorbells, often lack adequate security protocols. Remote working exacerbated the problem, with companies needing to protect and defend themselves against not only their workers’ laptops and phones but potentially also their smart light bulbs.

The increase in IoT cyberattacks arrives at a sensitive time for the industry: new technology advances like AI and edge computing can enable new use cases and opportunities and extend the possibilities of IoT. But at the same time, they also complicate the cyber and data security landscape.

What needs to be done?

The more devices and objects that are connected, the more things become hackable and targets for attacks. So, your IoT security strategy should start from a place of assuming all IoT devices are potential points of vulnerability and go from there.

And it applies across your entire connected real estate – points of attack aren’t limited to work PCs and laptops or connected cars. IoT sensors might be simple devices mainly designed to capture and communicate data, but the data they communicate could be sensitive. Or they could be part of a system that controls the HVAC in a hospital, for example.

With that in mind, CXOs need a checklist of actions to mitigate IoT threats and potential vulnerability.

1. Know your IoT ecosystem. Your IoT setup is more than just connected devices; it’s an ecosystem that constantly interacts within itself. Phones connect to internal or third-party servers, which interact with maintenance teams, network service providers, cloud hosts and more. That’s a lot of potential weak spots to attack. So, as a CXO, you need to know the size and shape of your own IoT ecosystem.

2. Have an integration roadmap. As more devices are connected, so IT and IoT become increasingly interchangeable. IT and OT are becoming more and more converged, and as companies take advantage of the real-time data this generates, it risks exposing OT to more security risks. To integrate effectively, you need to factor perspectives from IoT and OT teams into your roadmap to make the right decisions.

3. Focus on prevention. There are now more kinds of IoT cyberattacks than ever, some you can expect, others that might take you by surprise. Cybercriminals are developing new attack vectors all the time: things like automation via artificial intelligence (AI) and machine learning (ML) are now in their armory. So, you’ll need to focus on security solutions that put prevention first. After the fact and when someone has taken control of your fleet of autonomous vehicles is far too late.

4. Think of security objectives as a business opportunity. Different enterprise job titles tend to think of cybersecurity differently. For CTOs and CIOs, it’s typically in terms of threat vectors and technological capabilities. For CFOs and CEOs, it’s generally a cost issue and brand damage. You need to align these views from the top down into a unified perspective on cybersecurity – and see it as a business opportunity. It isn’t a cost center or an organizational and operational challenge: IoT security can give your company a competitive edge. A robust approach to security can encourage customers and partners to trust you with their data.

A business-critical issue

As enterprise IoT goes increasingly mainstream, you’re going to need robust and reliable cybersecurity to protect your assets, data and company reputation. It’s a situation that can only escalate as 5G-powered IoT use cases increase.

CXOs throughout your organization need to understand the strategic importance of IoT security, what to do about it, and how to put the right IoT security solutions in place. IoT cybersecurity is a distinct discipline and can’t necessarily be achieved by expanding your existing IT security approaches. Working with an expert partner like Orange gives you the cybersecurity knowledge, reach and experience, married to world-class understanding of the intricacies of IoT, to help you get to where you need to go.

To read all about what CXOs need to know to get IoT security right in the face of an increasingly complex cybersecurity landscape, read our new whitepaper.