“Almost half of companies still unable to detect IoT device breaches” reveals Gemalto study

Gemalto, the digital security specialist, has revealed that only around half (48%) of businesses can detect whether or not any of their Internet of Things (IoT) devices suffers a breach. This news comes despite companies having an increased focus on IoT security. Spending on protection has grown (from 11% of IoT budget in 2017 to 13% now, in fact). Nearly all (90%) believe IoT security is a big consideration for customers, while almost three times as many now see IoT security as an ethical responsibility (14%) compared to a year ago (4%).

With the number of connected devices set to top 20 billion by 2023, businesses must act quickly to ensure that their IoT breach detection is as effective as possible.

Surveying 950 IT and business decision-makers globally, Gemalto has found that companies are calling on Governments to intervene, with 79% asking for more robust guidelines on IoT security and 59% seeking clarification on who’s responsible for protecting IoT.

Despite the fact that many Governments have already enacted or announced the introduction of regulations specific to IoT security, most (95%) businesses believe there should be uniform regulations in place. This is a finding that’s echoed by by consumers95% expect IoT devices to be governed by security regulations.

“Given the increase in the number of IoT-enabled devices, it’s extremely worrying to see that businesses still cannot detect if they’ve been breached,” said Jason Hart, CTO for data protection at Gemalto. “With no consistent regulation guiding the industry, it’s no surprise that the threats – and, in turn, the vulnerability of businesses – are increasing. This will only continue unless Governments step in now to help industry avoid losing control.”

Security remains a big challenge

With such a big task in hand, businesses are calling for Government intervention because of the challenges they see in securing connected devices and IoT services. This is particularly the case for data privacy (38%) and the collection of large amounts of data (34%). Protecting an increasing amount of data is proving an issue, with only three-in-five (59%) of those using IoT and spending on IoT security admitting that they encrypt all of their data.

Consumers are clearly not impressed with the efforts of the IoT industry, with 62% believing security needs to improve. When it comes to the biggest areas of concern, 54% fear a lack of privacy because of connected devices followed closely by unauthorised parties like hackers controlling devices (51%) and a perceived lack of control over personal data (50%).

Blockchain gains pace as IoT security tool

While the industry awaits regulation, it’s seeking ways in which to address the issues itself, with blockchain emerging as a potential technology. The adoption of blockchain has doubled from 9% to 19% in the last 12 months.

What’s more, a quarter (23%) of respondents believe that blockchain technology would be an ideal solution to use for securing IoT devices, with 91% of organisations that don’t currently use the technology likely to consider it at some point in the future.

As blockchain technology finds its place in securing IoT devices, businesses continue to employ other methods to protect themselves against cyber criminals. The majority (71%) encrypt their data, while password protection (66%) and two-factor authentication (38%) remain prominent.

Hart concluded: “Businesses are clearly feeling the pressure of protecting the growing amount of data they collect and store. While it’s positive they’re attempting to address this issue by investing in more security such as blockchain, they need direct guidance to ensure they’re not leaving themselves exposed. In order to receive that guidance, firms need to be putting more pressure on Government to act as it’s them that will be hit if they suffer a breach.”

Response from High-Tech Bridge

Web security company High-Tech Bridge’s CEO Ilia Kolochenko has assessed Gemalto’s findinds.

“I think the survey results are somewhat optimistic, with almost half of the European companies claiming to have IoT breach detection capacities. In my experience, less than 10% of European organisations have an up-to-date inventory of their IoT devices, let alone breach detection capacities. Shadow IoT, brought and implemented by employees, exacerbates the situation as corporate data starts being stored on unidentifiable and uncontrollable devices, often with back-up in external storage locations or the cloud.”

Kolochenko went on to observe: “On the other hand, blockchain capacity to secure IoT is somewhat overestimated. Blockchain technology by definition has nothing to do with many popular attack vectors on IoT devices. The General Data Protection Regulation’s (GDPR) role is also questioned, as most of the careless IoT manufacturers are located far beyond EU jurisdiction and don’t care about any judicial decisions of European courts against them. Moreover, not every IoT is designed to store or process PII, thus rendering the GDPR inapplicable.”

In conclusion, Kolochenko added: “Uniform regulation of the IoT market is a Utopia amid current geopolitical tensions in the technology sector. Nonetheless, Government regulation of secure-by-design IoT is certainly a good idea and, in all likelihood, is the only way in which to make the IoT market more reliable.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts