DigiCert research unveils corporate losses associated with IoT-related security missteps

A new study orchestrated by DigiCert, the provider of TLS/SSL, PKI and Internet of Things (IoT) security solutions, reveals that enterprises have begun sustaining significant monetary losses stemming from the lack of good practices as they move forward with incorporating the IoT into their business models. In fact, among those companies surveyed that are struggling the most with IoT security, 25% reported IoT security-related losses of nearly £257,333 in the last two years.

These findings emerge amid a ramping up of the IoT focus within typical organisations. 71% of respondents to DigiCert’s study indicated that the IoT is extremely important to them at present, while 91% said that they anticipate the IoT to be extremely important to their respective organisations within two years.

The survey was conducted by ReRez Research in September, with 700 enterprise organisations from across critical infrastructure industries in the UK, the US, Germany, France and Japan taking part.

Security and privacy topped the list of concerns for IoT projects, with 82% of respondents stating they were somewhat to extremely concerned about security challenges.

“Enterprises today fully grasp the reality that the Internet of Things is upon us and will continue to revolutionise the way in which we live and work,” said Mike Nelson, vice-president of IoT Security at DigiCert. “Securing IoT devices is still a top priority that many enterprises are struggling to manage. However, integrating security at the beginning, and indeed all the way through IoT implementations, is vital for mitigating rising attacks. Such attacks can be expected to continue. Due diligence when it comes to authentication, encryption and the integrity of IoT devices and systems can help enterprises reliably and safely embrace the IoT.”

Top versus bottom performers

To give visibility to the specific challenges enterprises are encountering with IoT implementations, respondents were asked a series of questions using a wide variance of terminology. Using standard survey methodology, respondents’ answers were then scored and divided into three tiers:

*Top-tier: Enterprises experiencing fewer problems and demonstrating a degree of mastery when it comes to mitigating specific aspects of IoT security

*Middle-tier: Enterprises scoring in the middle range in terms of their IoT security results

*Bottom-tier: Enterprises experiencing more problems that were much more likely to report difficulties mastering IoT security 

IoT security missteps

Respondents were asked about IoT-related security incidents their organisations have experienced within the past two years. The difference between the top and bottom tiers was unmistakable. Companies struggling the most with IoT implementation are much more likely to be hit with IoT-related security incidents.

Every single bottom tier enterprise experienced an IoT-related security incident in that time versus just 23% of the top tier. Companies in the bottom tier were also more likely to report problems in these specific areas:

*More than 12 times as likely to have experienced IoT-based Denial of Service attacks

*More than 12 times as likely to have experienced unauthorised access to IoT devices

*Nearly 16 times as likely to have experienced IoT-based data breaches

*Six times as likely to have experienced IoT-based malware or ransomware attacks

These security incidents were not trivial. Among those companies surveyed that are struggling the most with IoT security, 25% reported IoT security-related losses of nearly £257,333 in the last two years.

The five foremost areas for costs incurred within the past two years were monetary damages, lost productivity, legal/compliance penalties, lost reputation and stock price. Meanwhile, although the top tier enterprises experienced some security missteps, an overwhelming majority reported no costs associated with those missteps. Top tier enterprises attributed their security successes to these practices: encrypting sensitive data, ensuring the integrity of data in transit, scaling security measures, securing over-the-air updates and securing software-based encryption key storage.

“When it comes to accelerating implementations of the IoT, it’s vital for companies to strike a balance between gaining efficiencies and maintaining security and privacy,” added Nelson. “This study shows that enterprises implementing security Best Practice have less exposure to the risks and resulting damages from attacks on connected devices. Meanwhile, it appears these IoT security Best Practices, such as authentication and identity, encryption and integrity, are on the rise. Companies are now beginning to realise what’s at stake.”

Recommendations: five areas to be addressed 

The DigiCert survey points to five Best Practices that will help companies pursuing the IoT to realise the same success as the top tier performing enterprises:

*Review risk: Perform penetration testing to assess the risk of connected devices. Evaluate the risk and build a priority list for addressing primary security concerns, such as authentication and encryption. A strong risk assessment will help in ensuring that the business doesn’t leave any gaps in its connected security landscape

*Encrypt everything: As you evaluate use cases for your connected devices, make sure that all data is encrypted at rest and in transit. Make end-to-end encryption a product requirement to ensure this key security feature is implemented in all of your IoT projects

*Authenticate always: Review all of the connections being made to your device, including devices and users, to ensure that authentication schemes only allow trusted connections to your IoT device. Using digital certificates helps to provide seamless authentication with binded identities that are tied to cryptographic protocols

*Instill integrity: Account for the basics of device and data integrity to include secure boot every time the device starts up, secure over the air updates and the use of code signing to ensure the integrity of any code being run on the device

*Strategise for scale: Make sure that you have a scaleable security framework and architecture ready to support your IoT deployments. Plan accordingly and work with third parties that have the scale and focus needed to help you reach your goals such that you can focus on your company’s core competency

*For more information on the DigiCert survey visit https://www.digicert.com/uk/state-of-iot-security-survey/

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts