August 4, 2017
by Sean Joyce
When the IoT connects the objects that surround you, it can be a whole new world—but only if business leaders enact the appropriate safeguards.
The number of consumer-operated, internet-enabled devices has proliferated considerably during the past few years–expanding to our phones, fitness trackers, cars, watches, even eyeglasses. Such growth indicates that the IT industry is increasingly recognizing the untapped potential of connecting these devices to one another. This connectivity enables companies to gather a wealth of individual consumer data and use it to create new personal conveniences to enhance how individuals work, live, and play. Of course, that data could also give companies the opportunity to target their marketing messages with greater accuracy and precision.
But the emerging internet of things (IoT) is also a source of risks that are not widely understood. Disruptions to the flow of information among connected devices, physical interference with equipment, and unauthorized access to sensitive consumer information can do significant damage to a business’ operations, infrastructure, and reputation.
Policymakers are taking notice. On Capitol Hill this week, US senators introduced a bill—the Internet of Things Cybersecurity Improvement Act of 2017—that would set minimum security requirements for federal procurements of connected devices. The bill seeks to use the buying power of the federal government to overcome what the senators termed a “market failure” for IoT security.
Although the fate of the legislation remains to be decided, its emergence follows significant discussion in recent years about the need to address cybersecurity and privacy risks linked to connected devices. A 2014 study by the president’s National Security Telecommunications Advisory Committee, for instance, cautioned that there was “a small—and rapidly closing—window to ensure that IoT is adopted in a way that maximizes security and minimizes risk.” If the US failed to do so, it would be “coping with the consequences for generations,” the committee wrote.
Yet few organizations have implemented an IoT cybersecurity program. To a large extent, that’s because implementation standards or frameworks for comprehensive security have been slow to emerge. And as connected devices proliferate, the risk of compromised networks will likely increase.
The stakes are high. Research firm Gartner forecasts that the number of connected devices will surge to 11.4 billion worldwide by 2018, up from 6.4 billion in 2016. And more than 25 percent of cyberattacks on enterprises will involve IoT components.
In our 2017 Global State of Information Security® Survey (GSISS)—which attracted the participation of more than 10,000 business and IT executives from more than 133 countries–approximately one-quarter of our respondents reported exploits of IoT components, including operational technologies, embedded systems, and consumer devices. Companies are starting to address IoT security, although significant room for improvement remains. Thirty-five percent of survey respondents say they have an IoT security strategy in place, and an additional 28 percent say they are implementing one.
Securing the IoT requires proactive steps
The IoT is spreading to a wide array of industries. For example, some carmakers now enable their vehicles to collect and use real-time diagnostics data that may be subject to consumer protection laws. Sixty-five percent of survey respondents say they collect information on vehicle location, and 44 percent say they gather driver data. Twenty-eight percent say they market the telematics information they gather, and an additional 25 percent say they plan to do so within the next 24 months. The industry is aware that this data can include sensitive consumer information. Among those automakers investing in vehicle diagnostics, 74 percent say they have implemented a security plan for the driver data they collect.
Creating secure connections among internet-enabled devices will require a complex, collaborative approach to protect sensitive information on a massive scale. Any security strategy should incorporate five essential elements:
1. Data collection, retention, and destruction policies
The data collected by the IoT ecosystem can provide new insights about consumer behavior, but companies that are not transparent about their data collection or usage, or whether they share data with third parties, could risk losing consumer trust or violating consumer protection regulations. Companies seeking to monetize vast amounts of data about individuals without crossing the line into unethical, unlawful, or unwanted use should first put into place strong frameworks to govern the management, use, and protection of the data.
2. Device and system vulnerability assessment
The IoT ecosystem is expected to enable unprecedented lifestyle conveniences, including improved healthcare delivery and service. The healthcare ecosystem already incorporates connected equipment in patient care, such as health monitors, telemedicine services, and interconnected medical devices like pacemakers. Connecting these devices to one another and enabling them to share information aims to advance patient care, promote wellness, and even help predict future illnesses. But as medical devices communicate with one another, they often exchange sensitive information without the guarantee of patient privacy. IoT security risks need to be identified before they can be managed, which is why vulnerability assessments are essential.
In our survey, 64 percent of healthcare payer and provider respondents say they have performed risk assessments of connected medical devices and technologies to evaluate potential security vulnerabilities, and 55 percent say they have implemented security controls for such devices to make them less vulnerable to malicious interference that could have harmful consequences.
3. Employee training on IoT privacy practices
To protect sensitive information, organizations should give their employees a solid understanding of the sensitivity of the data they collect—and the consequences of compromising that data. Employees untrained in cybersecurity and privacy procedures are in danger of inadvertently enabling software attacks. In fact, untrained workers are the leading source of security compromises in many industries.
Yet only 53 percent of survey respondents say they have an employee security awareness program. Training for IoT security practices is not yet a matter of course for many organizations. But that may be slowly changing. Thirty-five percent of survey respondents say they plan to invest in employee training on IoT cybersecurity practices this year.
4. Regularly updated consumer privacy rules
IoT-generated data is already a target for international regulatory bodies. For example, the EU’s General Data Protection Regulation, which goes into effect in 2018, expands the definition of personal data to include elements such as geolocation and online identifiers like IP addresses.
In the US, the Federal Trade Commission (FTC) recently reached a settlement with a mobile advertising company that tracked consumers’ geolocation data without their permission. The FTC fined the business $950,000 and prohibited it from collecting consumers’ location information without their express consent. The commission required the company to implement a data privacy program that will be regularly audited.
5. Uniform cybersecurity standards and policies
Currently, the IoT is the Wild West of cybersecurity and privacy—an ungoverned frontier without laws or norms. It comprises billions of devices that employ disparate operating systems, communications protocols, and hardware. The massive footprint and complexity of the platform precludes most businesses from drafting an IoT cybersecurity and privacy framework—they simply lack the in-house technical expertise to do so. And while third-party vendors have developed custom frameworks and bolt-on modules, they often are not interoperable with other systems.
Right now, no standards exist for the multitude of devices that are already part of the IoT ecosystem. Unlike IT equipment, connected devices were not designed with security in mind. A recent study of 10 of the most commonly used connected devices found that 70% contained serious vulnerabilities.
Proceed with caution
Many company executives believe the IoT’s interconnected platform will generate expansive economic growth by transforming business models and unleashing innovative products and services. But related risks could also threaten data security across virtually all industries, making them vulnerable to malicious interference with significant consequences.
To realize the promise of IoT-enabled devices and processes, an integrated cybersecurity program is crucial. Businesses that align IoT product and systems development with emerging cybersecurity standards and existing safeguards will have a head start in realizing the advantages enabled by the IoT’s interconnected platforms.