The latest analysis puts the total number of Internet of Things (IoT) devices at over 14 billion, with a further two billion expected to be added next year. As IoT devices continue to expand and penetrate every aspect of business, firms should double their attention to IoT security strategy.
In the intense competition for innovation and market dominance, businesses find themselves at the forefront of a strategic imperative, where success hinges on navigating the complexities of this dynamic environment. How they develop and implement IoT technologies to enhance their products must have security at its foundation to ensure these devices – and the data they collect – are safe as threat actors continue to expand to encompass IoT devices.
IoT security is an essential aspect of the wider IoT technologies space. IoT devices are not created alone but can be linked to other sensors to create a landscape of connectivity and this brings risks along with benefits. The trend amongst tech giants such as Google, IBM, and SAP is not to sell single IoT devices but complete ecosystems. This vast connectivity opens these ecosystems to sustained attacks.
Speaking to ITPro, Christopher Conrad, senior threat intelligence analyst at NETSCOUT, points to the fast expansion of IoT devices as one reason security must be at the top of the IoT development agenda: “According to NETSCOUT’s latest DDoS Threat Intelligence Report, nearly eight million distributed denial of service (DDoS) attacks were launched during the first half of 2023 – a 30.5% increase compared to H1 2022. Among these attacks, adversaries predominantly deploy IoT botnets to target enterprises and other types of endpoint networks, as well as state and local governments. Without better IoT security, this threat landscape will continue to expand and disrupt services.”
As a threat, actors also use IoT technologies as weapons of attack; whether your business is developing or deploying IoT devices, the approach your company takes to secure these devices and the networks they connect to must be comprehensive to combat the attacks focused on IoT.
IoT security strategy: threats and regulation
A key reason why one’s IoT security strategy is paramount is because the data IoT devices collect and exchange can be highly sensitive. Chris Harris, EMEA technical associate vice president for Data Security at Thales, tells ITPro that being first places immense pressure on developers.
“Code weaknesses are likely to arise in areas like IoT, where the technologies are less mature, and the pressure to be first with the latest features and product offerings has historically meant that security has taken a back seat. It’s also challenging to remediate IoT vulnerabilities once devices are installed, as they may not be touched for several months or years afterward, and consumers are less likely to track all the IoT devices they use and the software and firmware they’re using.”
However, Harris also outlines how attitudes and approaches are changing: “Mindsets are changing, especially as the volume of news stories about IoT flaws continue. Manufacturers are starting to grasp the importance of security-by-design principles and incorporating things like mandatory password changes, default update mechanisms, and multifactor authentication (MFA) into their products.”
Businesses may also pursue zero trust IoT, in which IoT devices are distrusted by default and monitored to ensure that hackers can’t exploit flaws in an organization’s IoT security strategy.
Regulation is, of course, also in the mix regarding securing IoT devices. Security can be an afterthought in the race to develop IoT devices, often left to the end user to add later and not baked into the devices themselves. As the IoT arms race intensifies, so does the scrutiny from regulators. Governments worldwide are enacting legislation to address privacy concerns, enshrine data protection policies, and bolster security in the IoT space. With this backdrop, it’s vital to assess potential security breaches that could occur. IoT is developing fast, but security must still be firmly on the development roadmap. The EU Cybersecurity Act is a good example here.
Iain Davidson, senior product manager at Wireless Logic, tells ITPro: “The pace of introduction and compliance requirements vary from region to region. However, governments and international organizations know unprotected IoT devices and networks are vulnerable to cyber threats. Just this year, the World Economic Forum’s State of the Connected World report identified cybersecurity as the ‘second-largest perceived governance gap,’ while theUK’s National Cyber-Security Strategy 2016-21 acknowledged that “poor security practice remains commonplace across parts of the Internet of Things (IoT) sector.”
As the penetration of IoT devices across the business landscape continues to accelerate, building high levels of strong security will become essential. Much has been achieved to this end, but more clearly needs to be done to make the IoT landscape a secure space that developers and users alike can use with confidence.
IoT security strategy: slow improvements
In the IoT arms race, the ultimate victors are those who prioritize the needs and experiences of their customers. A customer-centric approach involves understanding user expectations, addressing pain points, and delivering seamless, intuitive IoT solutions – all within an envelope of robust IoT security.
Wireless Logic’s Iain Davidson, states to ITPro: “The World Economic Forum acknowledges that policies relating to the security of connected devices are fragmented by region. This strikes at the heart of the IoT security challenge. IoT deployments are often international, global even. Device manufacturers and solutions providers may find they have a range of existing and pending legislation to consider.”
Connecting regulation with developers is vital to manage as this will ensure IoT security improves. As Stephen Kines, COO and Co-Founder of Goldilock, concludes, there is work to be done but the IoT industry as a whole is moving in the right direction.
“I’m confident that we will get to a point where IoT devices have robust security, but the pace of response is more of a concern,” says Kines. “We need more of a ‘triple helix’ of government, industry, and academia to push more robust security. There’s not enough economic incentive for industry leaders, regulatory push from the government, or ‘deep thinking’ from the academic side to ensure this happens. But progression is being made. A great example would be a Digital Security by Design showcase, which was held recently. The showcase gathered industry, academic, and government specialists to discuss the progress of designing IoT security devices, of which we need more.”
The IoT space is among the most diverse and rapidly expanding across the technology landscape. Coupled with an equally ferocious expansion of cyber attacks, businesses that create or deploy these technologies will win the arms race if they can make IoT security the foundation upon which all devices and networks are built.