A new survey of more than 7,000 IT professionals from global cybersecurity association ISACA suggests that a lack of clarity and standards around Internet of Things (IoT) security is leading to a lack of confidence.
According to the UK IT professionals surveyed for ISACA’s 2015 IT Risk/Reward Barometer (http://tinyurl.com/pupb8kz), 75 percent of the security experts polled say they do not believe device manufacturers are implementing sufficient security measures in IoT devices, and a further 73 percent say existing security standards in the industry do not sufficiently address IoT specific security concerns and new standards are needed.
Combined with the assertion from 56 percent of respondents that their organization’s IT department is not aware of all of its connected devices (e.g., connected thermostats, TVs, fire alarms, cars, etc.) these figures demonstrate significant risk. The worldwide IoT is expected to expand from 1.2 billion devices in 2015 to 5.4 billion connected devices by 2020, according to one estimate.*
“With the explosion in popularity and hype around the Internet of Things, it is proving difficult for manufacturers and organizations to keep up with the clear realities and implications for security the IoT represents. What is being created, along with the physical object like a thermostat, smartwatch or connected alarm system, are the countless entry points that cyberattackers can use to access personal information and corporate data,” says Ramsés Gallego, past international vice president of ISACA. “The rapid spread of connected devices is outpacing an organisation’s ability to manage it and to safeguard company and employee data. We need to change that so we can reap the many benefits of the IoT.”
Forty-one percent of the IT professionals surveyed say the most significant security concern for enterprises related to the IoT lies in device vulnerabilities, and there is a good chance of a company being hacked through an IoT device (64 percent put the risk likelihood at medium/high). With 62 percent expecting a cyberattack in the next 12 months, and only 51 percent confident they are prepared for such an event, the responses raise questions about how organizations can achieve the many benefits of IoT while managing the risk—particularly since 68 percent of UK IT professionals say organizations of all sizes are equally at risk.
However, there is good news too. Thirty-four percent say they have achieved greater access to information as a result of the IoT, and 29 percent say IoT has improved services at their organization. The survey report notes that business risk of not embracing the IoT and falling behind competitors may well outweigh any potential cost of a cyberattack, and organizations need to manage the risk to achieve the most benefit.