The internet of things (IoT) is growing so quickly and in so many directions that it might be too easy for companies to overlook legitimate concerns about the security of data, devices, and services. So far, there is no single, universally accepted standard to define IoT security. However, solid best-practice guidance is available from the industry leaders. As you prepare and deepen your IoT involvement, your innovation and revenue planning needs to go hand-in-hand with designing and implementing effective security features in your IoT offerings.
Finding the right balance of connectedness, information-sharing, and security
During the fourth industrial revolution, traditional boundaries between companies and industries will give way to greater openness. Today already, when customers discuss with me, for instance, how the IoT could help them improve the performance of their machinery by providing them and their equipment vendor with performance data, most of them are very open to the increased porousness of organizational thresholds that comes with that—as long as there is a practical benefit from such extensive information-sharing.
Nonetheless, companies need to address the risk that comes with increased exposure of business data across organizations and networks. Analysts at Gartner caution that many companies are not taking IoT security seriously enough and instead give priority to usability and short time-to-market. Recently, the Federal Trade Commission in the U.S. offered guidance for IoT security in the consumer realm. It remains to be seen whether a combination of industry initiatives and regulation can result in strong security protocols that can keep the data flows in systems of systems [link to first blog post in this series] going while maintaining the integrity of the data exchanged.
The need to overcome security compromises
Among the main IoT risks identified by experts, unauthorized information disclosure and network bandwidth problems figure prominently. IDC forecasts state that 90 percent of all IT networks in the world will over the next two years experience a security breach that exploits IoT-connected devices. Also according to IDC, half of the world’s IT networks that today have excess bandwidth to handle additional data and devices in the IoT will have exhausted that capacity. Close to 10 percent of them will be overwhelmed by IoT data traffic. A study by HP found, among other results, that 70 percent of IoT devices used unencrypted network services and the same number failed, along with their cloud and mobile application components, to identify valid user accounts through account enumeration. 80 percent of the IoT devices did not require secure passwords of sufficient length and complexity. As Microsoft’s Tim Rains, Chief Security Advisor of the Worldwide Cybersecurity and Data Protection group points out, additional challenges include manufacturers’ ability to make updates and change configurations of IoT sensors in response to security shortcomings and attacks. What’s more, some of the IoT devices that have already been distributed have poor security capabilities or are used in scenarios that overtax their security features.
Creating IoT security standards and accountabilities
As the IoT in some ways echoes the history of the internet, several security standards and initiatives for the IoT currently exist. They include the Open Interconnect Consortium, the Industrial Internet Consortium, AllJoyn, and Thread. In so far as each of these is driven by a single company or a handful of companies with their agenda and competitive interests, they are also limited, because they are far from encompassing a majority of the IoT providers and their offerings.
In response to IoT-related security challenges, companies need to update their data protection and policies. For some organizations, this may entail that they will define for the first time the role of a chief information security officer and provide it with budget and the ability to take action. As security experts have explained, IoT security is highly complex and involves several layers, from manufacturing of the sensors and devices, through distribution, to their use in businesses or households, each of them with its own security requirements.
Data lifecycle integrity planning
If you are ready to make the IoT part of your business model, you need to plan carefully to ensure the integrity of data, devices, and cloud services. Microsoft IoT guidance and best practices emphasize that devices, software, and services need to ensure appropriate security and privacy of data throughout the lifecycle of IoT devices, and offers its Security Development Lifecycle as a blueprint. IoT devices and services need the most advanced encryption protocols; simpler IoT devices that cannot perform their own encryption could be connected to an encrypting intermediary device before their data is broadcast. IoT devices also need to have the ability to receive security updates reliably and automatically, with minimal administrator assistance.
What are your security concerns related to the IoT, and how are you planning to address them? I would appreciating hearing about your ideas and concerns. Get in touch with me or contact To-Increase.
Do you want to get started today? Start your transformation into the cloud today with our free whitepaper.