Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

IoT Security Problems Can Cost Enterprises Millions

A survey by DigiCert finds that the IoT is a priority for most companies, but many enterprises struggle when it comes to security and privacy. This can translate into firms losing millions.

The Internet of Things is becoming increasingly important to most businesses, but many of those organizations aren't making security around all those intelligent connected devices a priority, according to researchers at cybersecurity firm DigiCert.

In fact, a report by DigiCert found that among those companies that are having the most difficulty securing their IoT environments, 25% report that they had lost at least $34 million over the last two years due to security-related issues. That number will grow unless companies that bring connected devices into the fold start taking steps to increase the security round them.

(Source: iStock)
(Source: iStock)

"The security challenges presented by IoT are similar to the many IT and internet security challenges industries have faced for years," Mike Nelson, vice president of IoT security at DigiCert, told Security Now in an email. "Encryption of data in transit, authentication of connections, ensuring the integrity of data -- these challenges are not new. However, in the IoT ecosystem these challenges require new and unique ways of thinking to make sure the way you're solving those challenges works. Regarding evolution of security challenges, the biggest challenge is simply the scale and the magnitude of growth. Having scalable solutions is going to be critical."

Organizations also will have to deal with the issue of securing the interoperability of these myriad devices. In the coming years, "it won't be sufficient for an organization to simply secure the connections their device makes with other internal resources," Nelson said. "IoT devices will be connecting to each other and other systems and the secure interoperability of those connections will be a unique challenge."

The benefits and challenges of the IoT have been known for several years.

Smart connected devices -- from in-home thermostats to industrial systems -- can improve customer experiences, increase revenue, improve efficiency and agility within a business and reduce costs. However, the ever-growing numbers of connected devices also vastly expands the attack surface for bad actors, putting both security and privacy at risk.

A growing industry
Some vendors and analysts have predicted that by 2020, there will be 20 billion or more connected devices worldwide, and that could grow to 80 billion by 2025, with spending on the IoT increasing from $80 billion last year to almost $1.4 trillion by 2021, according to IDC analysts. Attacks against IoT devices also have increased, with growing concerns about the rise of DDoS attacks, like the one in 2016 that brought down the DNS service.

Consumers also are concerned about security, so much so that these concerns are slowing the adoption of IoT, F-Secure wrote in a recent report. (See IoT Device Adoption Hampered by Consumer's Security Concerns.)

DigiCert's report, “State of IoT Security," found that 82% of companies surveyed reported that security was a top concern when implementing IoT, while 78% said privacy was another. That comes as 83% said IoT is important to their businesses today and 92% said it will be important by 2020. Most companies are just getting started; only a third said they had completed implementing an IoT strategy. DigiCert hired ReRez Research surveyed 700 organizations from around the world for the survey.

DigiCert sorted the companies into three tiers -- those having the fewest IoT security problems, those scoring in the middle with their security results and a bottom tier for those having the most difficulties. Those $34 million in losses by some of these companies include everything from financial damages and lost productivity to a hit on their reputations and declining stock prices. DigiCert’s Nelson said the collection of companies surveyed were a "mixed bag" when it comes to security and privacy.

"There are organizations that are prioritizing security because they see and understand the risks of not doing it, and there are other organizations that have made the decision to not prioritize security or privacy," he said, adding that organizations spend money due to pain or opportunity. "Some organizations haven't felt or experienced the pain of dealing with a data breech or having malware embedded on a fleet of their devices and because of that, they are more reluctant to spend the money. Regarding opportunity, I don't see product security as being a strong enough product differentiator to motivate organizations to act."

However, those companies implementing security practices are getting better at it, he said. Security isn't something that just happens; it takes time, experience, the right people and a change in how a company thinks about a product.

"The biggest cause of struggle is lack of executive support to build a robust security program," Nelson said. "Once an organization prioritizes it, they then need to recruit people with the right skill set to solve the problems they have. I've seen organizations transfer a resource from audit or regulatory to run product security. These decisions need to be made carefully because good cybersecurity isn't something that can be learned overnight. People with the right expertise are needed in order to be successful bringing solutions forward."

Key steps companies need to take include encrypting sensitive data, ensuring the integrity of data in transit, scaling security measures, securing over-the-air updates and securing software-based encryption key storage, he said.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Sure you have fire, but he has an i7!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-05
SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.
PUBLISHED: 2021-03-04
On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic information disclosure.
PUBLISHED: 2021-03-04
Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to gain access to device's serial number without permission.
PUBLISHED: 2021-03-04
Graphic format mismatch while converting video format in hwcomposer prior to SMR Mar-2021 Release 1 results in kernel panic due to unsupported format.
PUBLISHED: 2021-03-04
A possible arbitrary memory overwrite vulnerabilities in quram library version prior to SMR Jan-2021 Release 1 allow arbitrary code execution.