The survey was conducted by ReRez Research in September 2018, with 700 enterprises in the US, UK, Germany, France and Japan from across critical infrastructure industries. The findings come amid a ramping up of focuses on IoT within the typical organisation, DigiCert said.
- Eighty-three percent of respondents indicated that IoT is extremely important to them currently, while 92% said they anticipate IoT to be extremely important to their organisations within two years.
- Security and privacy topped the list of concerns for IoT projects, with 82% of respondents stating they were somewhat to extremely concerned about security challenges.
“Enterprises today fully grasp the reality that the Internet of Things is upon us and will continue to revolutionise the way we live, work and recreate,” said Mike Nelson, VP, IoT Security at DigiCert.
“Securing IoT devices is still a top priority that many enterprises are struggling to manage; however, integrating security at the beginning, and all the way through IoT implementations, is vital to mitigating rising attacks, which can be expected to continue. Due diligence when it comes to authentication, encryption and integrity of IoT devices and systems can help enterprises reliably and safely embrace IoT.”
Respondents were also divided into three tiers depending on their answers. Top-tier enterprises experienced fewer problems and showed a degree of mastery in mitigating specific aspects of IoT security.
Middle-tier enterprises scored in the middle range in terms of their IoT security results while bottom-tier enterprises experienced more problems and were much more likely to report difficulties mastering IoT security.
Respondents were asked about IoT-related security incidents their organisations had experienced within the past two years. Companies struggling the most with IoT implementation are much more likely to get hit with IoT-related security incidents. Every bottom-tier enterprise had experienced an IoT-related security incident in the period studied, versus 32% of the top-tier. The bottom tier was also more likely to report problems in these specific areas:
- More than six times as likely to have experienced IoT-based denial of service (DoS) attacks
- More than six times as likely to have experienced unauthorised access to IoT Devices
- Nearly six times as likely to have experienced IoT-based data breaches
- Four and a half times as likely to have experienced IoT-based malware or ransomware attacks
These security incidents were not trivial. Among companies surveyed that are struggling the most with IoT security, 25% reported IoT security-related losses of at least US$34 million in the last two years.
The top five areas for costs incurred within the past two years were:
- Monetary damage
- Lost productivity
- Legal/compliance penalties
- Reputational loss
- Stock price
Although the top-tier enterprises experienced some security mis-steps, an overwhelming majority (almost 80%) reported no costs associated with such mis-steps. Top-tier enterprises attributed their security successes to these practices:
- Encrypting sensitive data
- Ensuring integrity of data in transit
- Scaling security measures
- Securing over-the-air updates
- Securing software-based encryption key storage
“When it comes to accelerating implementations of IoT, it’s vital for companies to strike a balance between gaining efficiencies and maintaining security and privacy,” Nelson said.
“This study shows that enterprises that are implementing security best practices have less exposure to the risks and resulting damages from attacks on connected devices. Meanwhile, it appears these IoT security best practices, such as authentication and identity, encryption and integrity, are on the rise and companies are beginning to realise what’s at stake.”
 |
| Source: DigiCert website. The top best practices from top-tier IoT implementers. |
DigiCert suggests five best practices:
Review risk
Perform penetration testing to assess the risk of connected devices. Evaluate the risk and build a priority list for addressing primary security concerns, such as authentication and encryption. A strong risk assessment will help assure you do not leave any gaps in your connected security landscape.
Encrypt
While evaluating use cases for your connected devices, make sure that all data is encrypted at rest and in transit. Make end-to-end encryption a product requirement to ensure this key security feature is implemented in all IoT projects.
Authenticate
Review all of the connections being made to the device, including devices and users, to ensure authentication schemes only allow trusted connections to your IoT device. Using digital certificates helps to provide seamless authentication with identities that are tied to cryptographic protocols.
Instill integrity
Account for the basics of device and data integrity to include secure booting every time the device starts up, secure over-the-air updates, and the use of code signing to ensure the integrity of any code being run on the device.
Strategise for scale
Make sure that there is a scalable security framework and architecture ready to support IoT deployments. Plan accordingly and work with third parties that have the scale and expertise to help.
Details:
Read more about the survey
No comments:
Post a Comment