With Iot, Security Must Be Built in from the Beginning

Unless you’ve been trekking in the Andes or riding camels in Mongolia over the last few years, you know that the Internet of Things, or IoT, is real. According to Gartner, about 6.5 billion devices were connected through IoT at the end of 2016, and the figure is projected to reach approximately 26 billion by 2020. At this point, it’s safe to say IoT and industrial IoT, or IIoT, touch almost every aspect of business and life.

Yet the opportunities associated with IoT also serve up a significant challenge: ensuring that products and services are secure—and that the data flowing through a growing tangle of devices and systems is protected. “There are substantial risks associated with the IoT,” said Naveed Bandukwala, a consultant at global leadership advisory Egon Zehnder. “These span areas as diverse as consumer data, intellectual property, reputational risk, and operations,”

At the center of all this is a critical issue: despite growing security concerns about IoT and IIoT, many businesses overlook key factors, as well as offer products and services that lack essential protections. “Too often, organizations lack a comprehensive and holistic approach to cybersecurity and the IoT,” said Paul Hill, a senior consultant at cybersecurity firm System Experts Corporation. “Products lack key security features when a company introduces them into the marketplace.”

According to a 2017 study conducted by LogMeIn and SecurityLedger, 51 percent of respondents said their companies are developing one or more connected products, and 23 percent indicated that their companies already produce connected products. Yet only 30 percent of employees at companies that were researching or developing connected products ranked security among their top priorities.

The survey also found that top security concerns typically focus on outside threats, including hackers and attackers, while executives minimize risks from the inside, including issues such as weak authentication, poor data protection, and subpar communications frameworks. In the end, it’s essential to recognize a basic fact about IoT: “Threats can come from all directions,” pointed out Kal Bittianda, a consultant at Egon Zehnder.

Here are four things your organization must focus on when developing products and services for IoT or IIoT:

  • It’s all about the data. It’s easy to focus on specific and ad hoc security components. However, a best practice approach to securing IoT products, services and systems revolves around data-centricity. “As an enterprise adds sensors and promotes connected capabilities across devices and deeper into the business, it’s impossible to address security gaps on a constant one-off basis,” said Bandukwala. “It’s necessary to focus on the data, including who owns it, how it can be used, and where it goes.”

Working from a data-centric, metadata-focused approach and mapping data flows, it’s possible to design protections more comprehensively by blending security technology and processes more deeply. “If you fall down in this area, you risk damage to your customers or your reputation,” he adds. “The problems can become very big and very complex very quickly.”

  • Privacy matters. Privacy issues are often more nuanced than executives like to acknowledge. They involve far more than Social Security numbers and credit-card data. “Privacy ties into your location at any given moment, where you are going and what you are doing,” Bittianda explained.

What’s more, as data scientists learn how to connect data points, they’re finding it’s possible to uncover correlations that deliver revealing—and sometimes dangerous—details of a person’s life, health, and state of mind. Fitbits, mobile phone logs, and clickstream activity fill in the details.

It’s also important to recognize that there are growing risks associated with using data in unethical ways or holding individuals and corporations ransom. “The legal implications and penalties are potentially huge,” Bittianda said.

  • Device security is more than the sum of protocols. A remarkable number of IoT products and services are built using legacy operating systems and old firmware. Making matters worse, many engineers and developers rely on protocols that do not provide inherent security. “Too often, there are no automatic patches or updates built into the software. It’s necessary to manually update or patch systems,” Hill said.

Of course, manual processes often fall into the realm of “maybe” or “perhaps” an update will take place. “The problem is that, when it’s left to people to apply patches and updates, things become questionable,” Hill observed.

Bandukwala said security cannot be an afterthought. It has to be built into the design, engineering, and production processes—and become embedded in the product lifecycle. “Executives must think about these issues. It’s too easy to get caught up in the rush to get products to market,” Bittianda warned

  • Network security is just as important as device security. Frequently overlooked is the fact that stellar device security does no good if systems and networks aren’t equally secure. If hackers and attackers are able to enter systems and grab data—through weak authentication, social engineering, the lack of appropriate data encryption, or other means—the risks multiply.

Third parties and complex business relationships enabled by the cloud and APIs further complicate matters. BYOD policies ratchet up the stakes further. All of this points to a need for robust and comprehensive controls that span technology and processes. Governance is also at the core of IoT security.

There’s also a need for unwavering support from the C-Suite and board of directors, as well as adequate funding. “Senior-level executives and the board need to take IoT risks seriously. There are many potential ramifications, including the loss of core intellectual property,” Bandukwala explained.

How can executives and the board make a difference? Bittianda said that a key is to understand the overarching risks and issues involving cybersecurity and IoT. It’s important to focus on more than compliance and regulations. It’s also crucial to promote training and education across the enterprise, from developers to clerks and field technicians to the C-Suite.

Ultimately, in a connected world, security must span every aspect of IT and the business. Said Bittianda: “Security is something that has to be considered and built in from the very beginning of a project.”