Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

11/20/2018
09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

IoT Security Problems Can Cost Enterprises Millions

A survey by DigiCert finds that the IoT is a priority for most companies, but many enterprises struggle when it comes to security and privacy. This can translate into firms losing millions.

The Internet of Things is becoming increasingly important to most businesses, but many of those organizations aren't making security around all those intelligent connected devices a priority, according to researchers at cybersecurity firm DigiCert.

In fact, a report by DigiCert found that among those companies that are having the most difficulty securing their IoT environments, 25% report that they had lost at least $34 million over the last two years due to security-related issues. That number will grow unless companies that bring connected devices into the fold start taking steps to increase the security round them.

"The security challenges presented by IoT are similar to the many IT and internet security challenges industries have faced for years," Mike Nelson, vice president of IoT security at DigiCert, told Security Now in an email. "Encryption of data in transit, authentication of connections, ensuring the integrity of data -- these challenges are not new. However, in the IoT ecosystem these challenges require new and unique ways of thinking to make sure the way you're solving those challenges works. Regarding evolution of security challenges, the biggest challenge is simply the scale and the magnitude of growth. Having scalable solutions is going to be critical."

Organizations also will have to deal with the issue of securing the interoperability of these myriad devices. In the coming years, "it won't be sufficient for an organization to simply secure the connections their device makes with other internal resources," Nelson said. "IoT devices will be connecting to each other and other systems and the secure interoperability of those connections will be a unique challenge."

The benefits and challenges of the IoT have been known for several years.

Smart connected devices -- from in-home thermostats to industrial systems -- can improve customer experiences, increase revenue, improve efficiency and agility within a business and reduce costs. However, the ever-growing numbers of connected devices also vastly expands the attack surface for bad actors, putting both security and privacy at risk.

A growing industry
Some vendors and analysts have predicted that by 2020, there will be 20 billion or more connected devices worldwide, and that could grow to 80 billion by 2025, with spending on the IoT increasing from $80 billion last year to almost $1.4 trillion by 2021, according to IDC analysts. Attacks against IoT devices also have increased, with growing concerns about the rise of DDoS attacks, like the one in 2016 that brought down the DNS service.

Consumers also are concerned about security, so much so that these concerns are slowing the adoption of IoT, F-Secure wrote in a recent report. (See IoT Device Adoption Hampered by Consumer's Security Concerns.)

DigiCert's report, “State of IoT Security," found that 82% of companies surveyed reported that security was a top concern when implementing IoT, while 78% said privacy was another. That comes as 83% said IoT is important to their businesses today and 92% said it will be important by 2020. Most companies are just getting started; only a third said they had completed implementing an IoT strategy. DigiCert hired ReRez Research surveyed 700 organizations from around the world for the survey.

DigiCert sorted the companies into three tiers -- those having the fewest IoT security problems, those scoring in the middle with their security results and a bottom tier for those having the most difficulties. Those $34 million in losses by some of these companies include everything from financial damages and lost productivity to a hit on their reputations and declining stock prices. DigiCert’s Nelson said the collection of companies surveyed were a "mixed bag" when it comes to security and privacy.

"There are organizations that are prioritizing security because they see and understand the risks of not doing it, and there are other organizations that have made the decision to not prioritize security or privacy," he said, adding that organizations spend money due to pain or opportunity. "Some organizations haven't felt or experienced the pain of dealing with a data breech or having malware embedded on a fleet of their devices and because of that, they are more reluctant to spend the money. Regarding opportunity, I don't see product security as being a strong enough product differentiator to motivate organizations to act."

However, those companies implementing security practices are getting better at it, he said. Security isn't something that just happens; it takes time, experience, the right people and a change in how a company thinks about a product.

"The biggest cause of struggle is lack of executive support to build a robust security program," Nelson said. "Once an organization prioritizes it, they then need to recruit people with the right skill set to solve the problems they have. I've seen organizations transfer a resource from audit or regulatory to run product security. These decisions need to be made carefully because good cybersecurity isn't something that can be learned overnight. People with the right expertise are needed in order to be successful bringing solutions forward."

Key steps companies need to take include encrypting sensitive data, ensuring the integrity of data in transit, scaling security measures, securing over-the-air updates and securing software-based encryption key storage, he said.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
APT Groups Set Sights on Linux Targets: Inside the Trend
Kelly Sheridan, Staff Editor, Dark Reading,  9/11/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9739
PUBLISHED: 2020-09-18
Adobe Media Encoder version 14.3.2 (and earlier versions) has an out-of-bounds read vulnerability that could be exploited to read past the end of an allocated buffer, possibly resulting in a crash or disclosure of sensitive information from other memory locations. User interaction is required to exp...
CVE-2020-9744
PUBLISHED: 2020-09-18
Adobe Media Encoder version 14.3.2 (and earlier versions) has an out-of-bounds read vulnerability that could be exploited to read past the end of an allocated buffer, possibly resulting in a crash or disclosure of sensitive information from other memory locations. User interaction is required to exp...
CVE-2020-9745
PUBLISHED: 2020-09-18
Adobe Media Encoder version 14.3.2 (and earlier versions) has an out-of-bounds read vulnerability that could be exploited to read past the end of an allocated buffer, possibly resulting in a crash or disclosure of sensitive information from other memory locations. User interaction is required to exp...
CVE-2020-0089
PUBLISHED: 2020-09-18
In the audio server, there is a missing permission check. This could lead to local escalation of privilege regarding audio settings with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-137015603
CVE-2020-0262
PUBLISHED: 2020-09-18
In WiFi tethering, there is a possible attacker controlled intent due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-156353008