73 percent say existing security standards in the industry do not sufficiently address IoT.
A new survey of more than 7,000 IT professionals from global cybersecurity association ISACA suggests that a lack of clarity and standards around Internet of Things (IoT) security is leading to a lack of confidence.
According to the UK IT professionals surveyed for ISACA’s 2015 IT Risk/Reward Barometer, 75 percent of the security experts polled say they do not believe device manufacturers are implementing sufficient security measures in IoT devices, and a further 73 percent say existing security standards in the industry do not sufficiently address IoT specific security concerns and new standards are needed. Combined with the assertion from 56 percent of respondents that their organisation’s IT department is not aware of all of its connected devices (e.g., connected thermostats, TVs, fire alarms, cars, etc.) these figures demonstrate significant risk.
The worldwide IoT is expected to expand from 1.2 billion devices in 2015 to 5.4 billion connected devices by 2020, according to one estimate.*
“With the explosion in popularity and hype around the Internet of Things, it is proving difficult for manufacturers and organisations to keep up with the clear realities and implications for security the IoT represents. What is being created, along with the physical object like a thermostat, smartwatch or connected alarm system, are the countless entry points that cyberattackers can use to access personal information and corporate data,” said Ramsés Gallego, past international vice president of ISACA.
“The rapid spread of connected devices is outpacing an organisation’s ability to manage it and to safeguard company and employee data. We need to change that so we can reap the many benefits of the IoT.”
Forty-one percent of the IT professionals surveyed say the most significant security concern for enterprises related to the IoT lies in device vulnerabilities, and there is a good chance of a company being hacked through an IoT device (64 percent put the risk likelihood at medium/high). With 62 percent expecting a cyberattack in the next 12 months, and only 51 percent confident they are prepared for such an event, the responses raise questions about how organisations can achieve the many benefits of IoT while managing the risk—particularly since 68 percent of UK IT professionals say organisations of all sizes are equally at risk.
However, there is good news too. Thirty-four percent say they have achieved greater access to information as a result of the IoT, and 29 percent say IoT has improved services at their organisation. The survey report notes that business risk of not embracing the IoT and falling behind competitors may well outweigh any potential cost of a cyberattack, and organisations need to manage the risk to achieve the most benefit.
Recognising that changes in a company’s security architecture is not an easy or speedy process, the advice given to protect crucial data against threats is simple: Avoid storing sensitive or classified data on the device. This took clear preference over other recommendations, as seen below from the UK and global experts (global data in brackets):
- Avoid storing sensitive or classified data on the device(s) 43% (45%)
- Change privacy settings 17% (15%)
- Turn off Internet-enabled functions when not actively in use 14% (15%)
- Change passwords 14% (11%)
- Avoid using or logging into public Wi-Fi access points 7% (10%)
ISACA has this advice on how to maintain a cyber-secure workplace:
- Safely embrace IoT devices in the workplace to keep competitive advantage.
- Ensure all workplace devices owned by organisation are updated regularly with security upgrades.
- Require all devices be wirelessly connected through the workplace guest network, rather than internal network.
- Provide cybersecurity training for all employees to demonstrate their awareness of best practices of cybersecurity and the different types of cyberattacks.
The organisation also has compiled tips for device manufacturers to add security to their products:
- Require all developers who build software to have appropriate performance-based cybersecurity certification, to ensure safe coding practices are being followed.
- Insist all social media sharing be opt-in.
- Encrypt all sensitive information, especially when connecting to Bluetooth-enabled devices.
- Build IoT devices that can be automatically updated with new security upgrades.
ISACA established Cybersecurity Nexus (CSX) to help organisations develop their cybersecurity workforce and help individuals advance their cybersecurity careers. For information on CSX, including the new CSX Practitioner certification, visit https://cybersecurity.isaca.org.
The IT Risk/Reward Barometer is a global indicator of trust in information. Conducted by ISACA, the Barometer polls IT professionals and consumers worldwide to uncover attitudes and behaviors about essential technologies and information, and the trade-offs people make to balance risk and reward. The study is based on online polling of 7,016 ISACA members in 140 countries from 27 August to 8 September 2015. Additional online surveys were fielded by M/A/R/C Research of more than 5,000 consumers, including 1,025 in the UK. For full results, visit www.isaca.org/risk-reward-barometer.