Before you read this blog, stop and count every electronic device around you. I’m at my work desk; within a 1-meter radius, I have ten electronic devices. In a few years, if I replaced each item with freshly launched products, at least nine of those devices would contain IoT technology.
That’s according to Gartner’s prediction that by 2020, IoT technology will be in 95% of electronics for new product designs.
Since blogging is a large part of my work, I recently attended a talk about how SEO will change by 2020. The speaker had a lot to say on how the way we interact with screens will change and where those screens will be: on refrigerators, tables, and taxi windows, just to name a few places. His excitement was palpable—the convenience of it all! But it was funny to me, because I’ve only experienced the security pros’ perspective of the IoT security nightmare. The speaker reminded me of how excited the rest of the world is for the onslaught of IoT.
It won’t slow down, so we need to anticipate the upcoming IoT security trends and challenges.
IoT security at scale
Cisco predicts that there will be 50 billion connected devices by 2020. Security professionals need to be able to easily secure devices at scale. Luckily, some organizations and tools are responding to that need.
For example, digital certificates issued by a public key infrastructure (PKI) provide a way for devices to cryptographically authenticate each other’s identity and origin. Even better, bad actors can’t easily forge or replicate the cryptographic signatures in the certificates.
Using these digital certificates and PKIs, IT teams can ensure a more secure onboarding process for IoT devices.
Manufacturers have not prepared to manage security complexities
Unfortunately, the IoT devices themselves often aren’t designed with security in mind. Most device makers don’t have security experts on staff; as a result, they design only the absolute minimum of security into the products. Security may even have been a mere afterthought. This is partially due to a desire to reduce both development costs and delivery time.
You’d think that such money-minded companies would be more wary of the PR disasters that poor IoT security can cause. Well, the market doesn’t require them to be that cautious. Bruce Schneier says it best (although he’s referring to the finance industry here, much of it still holds true):
Worse, the financial markets reward bad security. Given the choice between increasing their cybersecurity budget by 5%, or saving that money and taking the chance, a rational CEO chooses to save the money. Wall Street rewards those whose balance sheets look good, not those who are secure. And if senior management gets unlucky and…a public breach happens, they end up okay. Equifax’s CEO didn’t get his $5.2 million severance pay, but he did keep his $18.4 million pension. Any company that spends more on security than absolutely necessary is immediately penalized by shareholders when its profits decrease.
Even the negative PR that Equifax is currently suffering will fade.
Response, not prevention
Gartner predicts that through 2022, half of all security budgets for IoT will go to fault remediation, recalls, and safety failures rather than protection. While this encompasses more than cybersecurity, it indicates a shift in mindset—IoT security breaches will happen. The key is having the right systems in place to be able to respond quickly and efficiently. A big component of this strategy is gaining deep visibility and context into every communication on your network. With the right data—and easy access to it—IT teams can respond to threats before they grow into a catastrophe for the organization.
To all of you who are responsible in some capacity for managing IoT security, I hope you feel a little more prepared as we inch closer to a new decade and an ever-evolving threat landscape. You may also enjoy this further reading on IoT security: