Last updated: 31 October 2017
Following many years of hype, we are now in the midst of a true IoT revolution. Consumers are welcoming connected devices into their homes in huge numbers, while the latest innovation promises to literally allow couriers to enter consumers’ homes to deliver packages.
However, there’s an elephant in the room: SECURITY. The IoT is a prime target for cyber attackers, who have already successfully accessed unprotected IoT devices as part of the Mirai botnet and are now taking things further with the Reaper botnet, which has already infected over a million networks. As new threats continue to emerge there are increasing calls for more regulation – indeed, earlier in the year US lawmakers proposed new legislation that would address IoT vulnerabilities.
For many manufacturers, security in their IoT deployments comes often as an after-thought – but the risks of not being protected are huge reputational and financial damage. And in many cases, manufacturers are not experts in implementing secure and scalable infrastructures. Defining some common rules could help to build trust in the ecosystem and guide IoT service providers as they develop new business models.
We recently conducted some research with independent company Vanson Bourne, looking at manufacturer and service provider attitudes towards IoT security. About 1000 IT and decision makers have given their thoughts on the state of IoT Security. As another blog concentrates on key findings around more government-regulation, let´s look at some of the other findings.
Download the free report here.
Service providers want expert guidance in implementing IoT Security
The complexity of the IoT ecosystem means service providers need help navigating its unique challenges. 57% told us that they need guidance from IoT security experts who can make sure that implemented infrastructure is able to evolve over the (sometimes very long) life of connected objects.
The entire ecosystem needs to be considered as a whole, to make sure that every step on the value chain is protected: the connected device and the data itself—whether at rest, in motion, on the network or in the cloud. Companies must understand that they are only as secure as their most vulnerable endpoint. Our survey respondents seem to understand this, saying that their IoT security spending goes not only into the IoT data protection (34%) but also on the connectivity (29%), the device itself (almost 23%) and the application level (about 14%).
However, despite their calls for greater guidance, service providers arguably need to do more themselves. We found that today, only 11% of IoT spending goes to towards security. This is a very small proportion and confirms that security is too often treated as an afterthought, rather than being built in from the design stage.
Security by design: a foundation of trust to increase business
The security-by-design approach ensures security is considered from the very beginning of a new IoT development, and crucially that it’s able to evolve over the lifecycle of a connected object.
92% of respondents to our survey said that they had seen a positive impact on their sales or product usage after implementing a secure IoT architecture.
There are several reasons why.
- A secure IoT infrastructure brings more confidence to connected objects´ end-users, who much prefer to use devices whose security is guaranteed.
- It protects against evolving attacks and ensures business continuity, while also allowing new stakeholders to join an existing IoT ecosystem once connected devices are in the field.
- A security-by-design approach enables multi-actor credential management, so different users can use the same connected object, or access the data coming from a same device. This data can provide valuable market insights which allow teams to take better business decisions.
IoT Security is a secure platform from which to offer new services
32% of respondents told us they see IoT Security as a secure foundation to offer new services.
Only a solid and secure infrastructure allows service providers to securely and remotely launch new services to devices in the field. For example, they can give access to a new service for limited periods of time, with a per-pay-use approach. This could mean downloading a map to your car for a certain region, just for a one-week holiday. At the other end of the scale in a B2B context, it could be a hospital renting out an expensive radiology machine and only paying for the features it wants to use. IoT Security opens the way to valuable monetizing opportunities.
Regulation can define responsibilities
The main benefit of regulation in the IoT world is to define who is responsible for what as sensitive data moves from connected devices to the cloud—and how it should be protected at every step of its journey.
Right now, only 28% say they use Secure Elements to protect devices or data in critical industries such as smart energy or healthcare. In the future this could be a requirement from governments to install hardware secure containers such as Secure Elements in smart meters or data aggregators in Advanced Metering Infrastructures. Some countries are paving the way, such as Germany with the BSI – the office for Information Security, which acts as a cyber security authority to shape our digital world and prevent cyber-attacks.
If you’re interested in finding out more, check out the survey results in more detail, or get more information about protecting IoT deployments here. The entire IoT ecosystem, including end users and service providers, need greater security. It is the key to realizing the ultimate promise of the IoT: more convenience and access to valuable information.
Without trust, end-users may lose confidence and turn away – but if they can be protected they will enjoy the benefits while service providers can expand and develop new offerings.
Let us know your thoughts on the survey in the comments, or by tweeting @Gemalto.