As IoT Grows, Confidence in Security Remains Low
Despite the growth in use and the need for security in the use of embedded devices (IoT), almost half of all businesses are unable to detect a breach in any of their devices. The situation is worse in the UK (it rises from 48% overall to almost 60%), even though the UK government introduced a code of practice for manufacturers and developers last year.
The figures come from a Gemalto survey of 950 IT and business decision makers globally. Spending on securing IoT is growing (from 11% of IoT budget in 2017 to 13% now); and security awareness is high (90% believe it is a major consideration). Belief that IoT security is an ethical responsibility has grown from 4% a year ago to 14% now. But confidence in breach detection remains low.
Consumers are not impressed. Sixty-two percent believe that security must improve. Fifty-four percent fear a loss of privacy through connected devices, 51% are worried about hackers taking control over the devices, and 50% are worried about a lack of control over their personal data.
IoT security is hard to implement. Most people see government intervention as the best solution. Seventy-nine percent are calling for more robust guidelines on IoT security, while 59% want greater clarity on who is responsible for IoT security. “With no consistent regulation guiding the industry,” comments Jason Hart, CTO, data protection at Gemalto, “it’s no surprise the threats — and, in turn, vulnerability of businesses — are increasing. This will only continue unless governments step in now to help industry avoid losing control.”
Any regulations will, however, need to be mandatory. The UK experience confirms the often-stated belief: if it isn’t a legal requirement, it won’t be done.
Gemalto believes that blockchain may be advantageous in securing the data coming out of embedded devices. Adoption of blockchain has doubled from 9% to 19% in the last 12 months. Twenty-three percent of the survey respondents believe that blockchain technology would be a solution for securing IoT devices, while 91% of the organizations that don’t currently use the technology are likely to consider it in the future.
“While it’s positive [organizations] are attempting to address [concerns] by investing in more security, such as blockchain, they need direct guidance to ensure they’re not leaving themselves exposed. In order to get this, businesses need to be putting more pressure on the government to act, as it is them that will be hit if they suffer a breach.”
However, neither the figures themselves nor the belief in blockchain as a solution are universally accepted. High-Tech Bridge is a firm that provides automated vulnerability scanning for internet-connected systems. Its CEO, Ilia Kolochenko, fears the figures underestimate the problem. “In my experience, less than 10% of European organizations have an up-to-date inventory of their IoT devices, let alone breach detection capacities. Shadow IoT, brought and implemented by employees, exacerbate the situation as corporate data starts being stored on unidentifiable and uncontrollable devices, often with backup in external storage locations or the cloud,” he told SecurityWeek in an emailed comment.
He also believes that the potential for blockchain and national regulations (such as GDPR to protect user data) as solutions is overestimated. “Blockchain technology by definition has nothing to do with many popular attack vectors on IoT devices. GDPR’s role is also questioned, as most of the careless IoT manufacturers are located far beyond EU jurisdiction and do not care about any judicial decisions of European courts against them.”
International regulation on the manufacture and use of IoT devices may be the best solution. But, comments Kolochenko, “Uniform regulation of the IoT market is a Utopia amid current geopolitical tensions in the technology sector. Nonetheless, governmental regulation of secure-by-design IoT is certainly a good idea and probably is the only way to make the IoT market more reliable.”