Securing IoT from the ground up

We live in a highly connected world. There are already approximately 10 billion connected Internet of Things (IoT) devices, and their number is expected to grow to over 25 billion by 2030. They also vary across every conceivable industry; simple IoT sensors and consumer-focused smart home gadgets have been joined by sophisticated medical devices, next-generation automotive technologies, industrial IoT hardware, and so on.

While greater connectivity will unlock immense potential for technology innovators, it also creates increasing cybersecurity threats. According to Kaspersky research, the number of attacks on IoT devices more than doubled during the first half of 2021. Bad actors have increasingly targeted firmware, as it has historically been one of the most overlooked aspects of device security.

Last year, Microsoft noted that 83% of businesses reported a firmware attack in the prior two years – an astonishingly high rate!

Securing devices has become more complex

Three primary roadblocks now stand in the way of securing our highly connected world: increasing cybersecurity risks, a widespread scarcity of cybersecurity expertise, and the complex, ever-changing global regulatory landscape. For everyone in the ecosystem – device manufacturers, suppliers, systems integrators and other stakeholders at every level, from chip to cloud – the task of navigating compliance complexity while mitigating cybersecurity risks has become incredibly tough.

In the past, companies commonly shipped connected devices with barely sufficient security and left customers to handle the risks. Today it’s no longer sufficient to simply bring a quality product to market in a timely manner – organizations must ensure their products are secure at the core, so they can continue to operate safely in the modern threat landscape, where attacks on firmware are both foreseeable and common.

Without sophisticated security expertise in-house, many companies are seeking guidance and best practices so they can move quickly to meet heightened customer and regulatory demands. Of course, organizations can always use tactical tools to remediate identified vulnerabilities. However, as NIST research shows security flaws continue to pile up, this haphazard approach will surely catch up to teams who rely exclusively on responsive rather than proactive security strategies.

Now is the time for organizations to reconsider cybersecurity

Given the continued and, in some cases, exponential growth of attacks, businesses must seize this moment as an opportunity to modernize their cybersecurity efforts, so they can properly defend themselves and their customers.

This isn’t a moment for purely performative gestures or security theater. In the past, IoT security considerations were far too often overlooked in the name of increasing speed to market and reducing costs – security was at most a box to be checked at the end of development. Today, organizations need to really move the needle by examining the processes they apply when developing connected products in the first place and their governance to ensure security is baked into everything from the start, rather than merely an afterthought.

Security is an ongoing responsibility made easier with a solid core

Pivoting into a more proactive stance requires security to be not just consistent but also thoroughly considered and implemented throughout both product development and life cycle management processes. It’s no longer enough to just release a secure product and walk away from support; treating security as a core component of any new offering means organizations must have sustainable and lasting security approaches, necessarily including at least some after-sales support.

We recommend that organizations developing IoT offerings take the following three steps to begin the process of modernizing their cybersecurity approaches:

• Meet modern industrial expectations. Confirm that your organization’s product development processes align with standards specific to the automotive, healthcare, manufacturing and consumer sectors.
• Get up to date. Track and remediate known and zero-day vulnerabilities throughout each firmware development phase to consistently maintain device security posture.
• Practice and cultivate cybersecurity transparency. Communicate your products’ security to partners, stakeholders and end-users to help ease security concerns and contribute to a more secure world.

For IoT developers, the benefits of adopting a modern cybersecurity approach are numerous. Properly secured companies have a far greater likelihood of successfully implementing business strategies, mitigating risks, protecting brand reputation, creating product differentiation and establishing market leadership. On the flip side, companies lacking modern cybersecurity now face huge and potentially existential threats to their brands, products, and profits. Doing nothing or merely following past “good enough” practices are no longer realistic options.

Moreover, strengthening IoT products’ security bona fides is critical to unlocking the immense potential of connected technologies. While it took more than 10 years for the number of connected IoT devices to reach 10 billion, that number will more than double before the next decade is out, creating a vast web of intelligent data that has potential for either resilience or countless troubling points of exploitation. Adopting proactive security strategies now will eventually make a significant difference in protecting that data and its users – or undermining trust in connected devices.