Existing security standards do not sufficiently address IoT

A lack of clarity and standards around Internet of Things (IoT) security is leading to a lack of confidence.

According to the UK IT professionals surveyed by ISACA, 75 percent of the security experts polled say they do not believe device manufacturers are implementing sufficient security measures in IoT devices, and a further 73 percent say existing security standards in the industry do not sufficiently address IoT specific security concerns.

Combined with the assertion from 56 percent of respondents that their organisation’s IT department is not aware of all of its connected devices (e.g., connected thermostats, TVs, fire alarms, cars, etc.) these figures demonstrate significant risk.

The worldwide IoT is expected to expand from 1.2 billion devices in 2015 to 5.4 billion connected devices by 2020, according to one estimate.

“With the explosion in popularity and hype around the Internet of Things, it is proving difficult for manufacturers and organisations to keep up with the clear realities and implications for security the IoT represents. What is being created, along with the physical object like a thermostat, smartwatch or connected alarm system, are the countless entry points that cyber attackers can use to access personal information and corporate data,” said Ramsés Gallego, past international vice president of ISACA. “The rapid spread of connected devices is outpacing an organisation’s ability to manage it and to safeguard company and employee data. We need to change that so we can reap the many benefits of the IoT.”

Forty-one percent of the IT professionals surveyed say the most significant security concern for enterprises related to the IoT lies in device vulnerabilities, and there is a good chance of a company being hacked through an IoT device (64 percent put the risk likelihood at medium/high).

With 62 percent expecting a cyberattack in the next 12 months, and only 51 percent confident they are prepared for such an event, the responses raise questions about how organisations can achieve the many benefits of IoT while managing the risk—particularly since 68 percent of UK IT professionals say organisations of all sizes are equally at risk.

However, there is good news too. Thirty-four percent say they have achieved greater access to information as a result of the IoT, and 29 percent say IoT has improved services at their organisation. The survey report notes that business risk of not embracing the IoT and falling behind competitors may well outweigh any potential cost of a cyberattack, and organisations need to manage the risk to achieve the most benefit.

Recognising that changes in a company’s security architecture is not an easy or speedy process, the advice given as the best way to protect crucial data against threats is simple: Avoid storing sensitive or classified data on the device. This took clear preference over other recommendations, as seen below from the UK and global experts (global data in brackets):

  • Avoid storing sensitive or classified data on the device(s) – 43% (45%)
  • Change privacy settings – 17% (15%)
  • Turn off Internet-enabled functions when not actively in use – 14% (15%)
  • Change passwords – 14% (11%)
  • Avoid using or logging into public Wi-Fi access points – 7% (10%)
  • Other – 5% (4%).

ISACA has this advice on ways for enterprises to maintain a cyber-secure workplace:

  • Safely embrace IoT devices in the workplace to keep competitive advantage.
  • Ensure all workplace devices owned by organisation are updated regularly with security upgrades.
  • Require all devices be wirelessly connected through the workplace guest network, rather than internal network.
  • Provide cyber security training for all employees to demonstrate their awareness of best practices of cyber security and the different types of cyberattacks.

The organisation also has compiled a set of tips for device manufacturers to add security to their products:

  • Require all developers who build software to have appropriate performance-based cyber security certification, to ensure safe coding practices are being followed.
  • Insist all social media sharing be opt-in.
  • Encrypt all sensitive information, especially when connecting to Bluetooth-enabled devices.
  • Build IoT devices that can be automatically updated with new security upgrades.

Don't miss