A recent study by Forrester Research shows that 92 percent of infosec leaders at companies with 1,000 or more employees have internet of things (IoT) security policies in place. The same data set, however, elicits a split on whether they have implemented the security technologies needed to support those policies. Some 47 percent believe their security tools are sufficient, while 34 percent say their IoT security tools are insufficient. Another 10 percent do not have any tools in place.
Forrester’s data comes from two online surveys conducted by Research Now in March and May 2017 in Australia, Brazil, Canada, China, France, Germany, India, New Zealand, the UK and the United States. Each had more than 3,000 respondents.
That 92 percent of the companies surveyed have security policies in place may not be quite as positive as it sounds. “There is a difference between having security policies in place and having effective, relevant policies in place,” said Merritt Maxim, principal analyst, security and risk, at Forrester. “As an example, a company may have a policy that all IoT devices must authenticate to the network, but it does not specify the authentication modality, allowing users to select weak passwords. Also, policies must be continually assessed and updated as needed to adapt to the changing threat landscape.”
For that matter, how do the companies that claim to be sufficiently prepared to deal with IoT threats be sure their IoT security postures are up to snuff when many threats are still evolving and may come from a wide range of vectors?
IOT Security Spending
The survey also finds that half of the respondents expect to increase IoT security spending in 2018, with only 18 percent expecting a greater than 10 percent spending increase. Maxim cautions that tracking spending on IoT security “is tricky because money that is spent on other areas such as network security and application security could include areas that cover IoT use cases. So spending is on the rise, but the exact increases may be difficult to calculate.”
One thing is certain: Enterprises around the globe see many opportunities in IoT as a technology for delivering better customer experiences, new business services and revenue. Increasingly, successful outcomes will depend on security teams to fully understand the multiple ways that IoT is vulnerable, to ensure that they have the tools to monitor and protect against threats, and for CEOs and others to recognize the danger and allocate IoT security funding.
“The IoT security problem will never be fully solved,” said Maxim. “It will likely get worse in the short term before it gets better. We will see more IoT attacks of varied sophistication from device-specific malware to data breaches, leveraging [a wide range of] security vulnerabilities.”
Ultimately, in terms of the IoT security postures of enterprises worldwide, whether the glass is half empty or half full may be less important than whether it is actively filling with a purpose. If your company has IoT deployments and you’re not vigorously pursuing better IoT security (no matter how good you think your security is today), you’re running a risk.
Keys to IoT Security Preparedness
• Infosec professionals should be prepared threats from a wide range of vectors. To combat that, you need to start with a strategy specific to IoT security. Forrester recommends conducting risk assessments, simulating IoT-specific breaches and building playbooks that prepare the organization to respond effectively balanced with maintaining a positive customer experience.
• Data privacy requirements, such as the EU’s GDPR (General Data Protection Regulation), are going to become juggernauts for IoT. Most IoT deployments generate huge volumes of data that require privacy protection. Most companies are not fully prepared to be able to share this data with partners while still preserving data privacy/security.
• IoT has a lot of upsides, but you have to pay the piper on security. Investment is needed in a number of areas in your tech stack. Forrester names several IoT capabilities that may require funding, including IoT API, IoT authentication, IoT device hardening, IoT encryption, IoT network security, IoT network segmentation, IoT PKI, IoT security analytics and IoT threat detection.