Despite the growth in use and the need for security in the use of embedded devices (IoT), almost half of all businesses are unable to detect a breach in any of their devices. The situation is worse in the UK (it rises from 48% overall to almost 60%), even though the UK government introduced a code of practice for manufacturers and developers last year.
The figures come from a Gemalto survey of 950 IT and business decision makers globally. Spending on securing IoT is growing (from 11% of IoT budget in 2017 to 13% now); and security awareness is high (90% believe it is a major consideration). Belief that IoT security is an ethical responsibility has grown from 4% a year ago to 14% now. But confidence in breach detection remains low.
Consumers are not impressed. Sixty-two percent believe that security must improve. Fifty-four percent fear a loss of privacy through connected devices, 51% are worried about hackers taking control over the devices, and 50% are worried about a lack of control over their personal data.
IoT security is hard to implement. Most people see government intervention as the best solution. Seventy-nine percent are calling for more robust guidelines on IoT security, while 59% want greater clarity on who is responsible for IoT security. “With no consistent regulation guiding the industry,” comments Jason Hart, CTO, data protection at Gemalto, “it’s no surprise the threats — and, in turn, vulnerability of businesses — are increasing. This will only continue unless governments step in now to help industry avoid losing control.”
Any regulations will, however, need to be mandatory. The UK experience confirms the often-stated belief: if it isn’t a legal requirement, it won’t be done.
Gemalto believes that blockchain may be advantageous in securing the data coming out of embedded devices. Adoption of blockchain has doubled from 9% to 19% in the last 12 months. Twenty-three percent of the survey respondents believe that blockchain technology would be a solution for securing IoT devices, while 91% of the organizations that don’t currently use the technology are likely to consider it in the future.
“While it’s positive [organizations] are attempting to address [concerns] by investing in more security, such as blockchain, they need direct guidance to ensure they’re not leaving themselves exposed. In order to get this, businesses need to be putting more pressure on the government to act, as it is them that will be hit if they suffer a breach.”
However, neither the figures themselves nor the belief in blockchain as a solution are universally accepted. High-Tech Bridge is a firm that provides automated vulnerability scanning for internet-connected systems. Its CEO, Ilia Kolochenko, fears the figures underestimate the problem. “In my experience, less than 10% of European organizations have an up-to-date inventory of their IoT devices, let alone breach detection capacities. Shadow IoT, brought and implemented by employees, exacerbate the situation as corporate data starts being stored on unidentifiable and uncontrollable devices, often with backup in external storage locations or the cloud,” he told SecurityWeek in an emailed comment.
He also believes that the potential for blockchain and national regulations (such as GDPR to protect user data) as solutions is overestimated. “Blockchain technology by definition has nothing to do with many popular attack vectors on IoT devices. GDPR’s role is also questioned, as most of the careless IoT manufacturers are located far beyond EU jurisdiction and do not care about any judicial decisions of European courts against them.”
International regulation on the manufacture and use of IoT devices may be the best solution. But, comments Kolochenko, “Uniform regulation of the IoT market is a Utopia amid current geopolitical tensions in the technology sector. Nonetheless, governmental regulation of secure-by-design IoT is certainly a good idea and probably is the only way to make the IoT market more reliable.”
Related: Why It’s so Hard to Implement IoT Security
Related: California IoT Cybersecurity Bill Signed into Law
Related: Addressing IoT Device Security Head-on
Related: The Path to Securing IoT Ecosystems Starts at the Network
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
More from Kevin Townsend
- Meta Develops New Kill Chain Thesis
- The Rise of the BISO in Contemporary Cybersecurity
- ChatGPT and the Growing Threat of Bring Your Own AI to the SOC
- Euler Loses Nearly $200 Million to Flash Loan Attack
- QuSecure Unveils Quantum-Resilient Communications Satellite Link
- Pre-Deepfake Campaign Targets Putin Critics
- Talking Cyberinsurance With Munich Re
- Top 10 Security, Operational Risks From Open Source Code
Latest News
- Aembit Scores $16.6M Seed Funding for Workload IAM Technology
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- New York Man Arrested for Running BreachForums Cybercrime Website
- Huawei Has Replaced Thousands of US-Banned Parts With Chinese Versions: Founder
