How confident are you in your IoT security strategy? And that the IoT devices and applications in your organization are secure? If you answered “not very confident,” you’re not alone.
Only slightly more than half of respondents to a recent Deloitte survey said they were “somewhat confident” that their IoT systems are secure. More than 20 percent are “uncertain or somewhat not confident,” while another 8 percent are “not confident at all.”
These results point to the need for all organizations to improve their IoT security strategy for the coming year. Fortunately, we have 5 tips to share from our years of experience to help you amp up your IoT security so you can better protect your business and its assets.
5 tips for a strong IoT security strategy for 2020
Build security into the IoT design and development process
This is our top tip, and the most important idea you should take away from this article. When you incorporate IoT security into the design and development process from day one, your end product is more secure.
This approach makes sure that security gets the attention it deserves, rather than being treated as an afterthought that is squeezed in with any leftover time and budget (assuming there is anything “left over”!).
In addition to creating a more secure product, building security in from the start saves time and money. It is easier and cheaper to correct security issues when you fix them during the build process. Your team can address issues right away without having to go back and make changes to the entire product or system.
In order to take this approach, team members focused on security must be included in all phases of design, development, and testing. You should also make sure you include other business stakeholders, such as legal and compliance teams, to make sure all aspects of IoT security are properly addressed at all stages of development.
It’s important to note that this focus on security continues even after deployment, as new threats can emerge at any time (we will address this issue in more detail below).
Conduct formal training and awareness programs
Everyone on your team probably thinks IoT security is important, but without knowledge about specific threats and the impact they have on organizations, it becomes all too easy to let security fall to the wayside. This is especially true when deadlines are looming.
Many of us have fallen victim to focusing our attention on functionality rather than security. Even though IoT security enhancements may not seem to add much in the way of functionality, they are just as—or more—important.
The impact of an attack can be disastrous. The financial cost varies based on the depth and breadth of the attack, but research has found that attacks can cost a company more than 13 percent of revenue. This number increases when you factor in lost opportunities for future business, as it can take years to restore your reputation in the marketplace.
Share statistics on the financial and reputational impact of an attack with your design and development teams, so they truly appreciate the cost. Educate them on the most common types of IoT attacks and the best ways to protect against them. These include ransomware, supply chain attacks, and over-the-air update attacks. We have written in great detail about these types of IoT attacks and what you can do to protect against them.
Be sure to provide this type of detailed information to your design and development teams, so you can be confident that major threats are properly addressed.
Establish an IoT governance body
A formal body dedicated to IoT governance is the best way to manage enterprise-wide IoT systems and applications. This group should contain stakeholders from across the business.
Responsibilities include:
- Defining a technical strategy for IoT implementations
- Drafting best practices for designing an architecture and framework for IoT projects
- Making sure people with the appropriate skills are put on projects
- Making sure security gets the proper amount of attention
- Making sure that the enterprise as a whole stays aware of new IoT threats as they emerge and identifying those that pose the biggest risk
Employ biometric logins when possible
Biometric technologies such as facial scans and fingerprints remove the security threats associated with weak and stolen passwords. Of course, this is not a solution for every IoT system (such as Industrial IoT systems in a factory), but it can increase the security of individual end-point IoT devices.
Leverage Artificial Intelligence (AI) to identify possible security violations
AI technology can identify potential cyber attacks through intrusion detection systems. An administrator is alerted if a possible attack is identified, so it can be addressed before serious harm occurs.
The use of AI for IoT security is an area where a lot of work is being done, and we expect to see advancements here in 2020. Stay on top of the latest news in this area, so you can benefit from recent developments.
Be prepared to comply with new and pending IoT security regulations
While IoT is largely unregulated when it comes to security, there are several recent regulations that point to change. It is wise to follow these regulations as they emerge to make sure your business can meet those new requirements.
Recent IoT regulations include:
- State requirements for IoT device security—California and Oregon are the first two states to pass requirements for IoT device security. These laws will take effect on January 1, 2020, and other states are likely to follow. Both laws call for “reasonable” security features, but they don’t clearly define what that means. The laws also define connected devices differently, which adds to the questions about how to best comply. The best approach is to evaluate the type of data collected and how it is being used. This should feed directly into the proper security steps required (with more personal and confidential data requiring higher levels of security).
- Cybersecurity Improvement Act of 2019—In March of this year, Congress introduced the Cybersecurity Improvement Act of 2019 to improve the security of IoT devices. The goal of the legislation is to push manufacturers towards a “security by design” approach—in other words, build security into the process (our number one tip). The act would allow the National Institute of Standards and Technology (NIST) to draft regulations.
- International regulations—Other countries such as the United Kingdom and Japan have also expressed their intent to introduce IoT standards and guidelines.
IoT security will always be important. As the number of connected devices grows, security continues to demand more and more attention. The best defense is a good offense, so we recommend taking a proactive approach to IoT security by following the tips we have outlined here. These strategies will get you well on your way to secure IoT systems and applications in the coming year. If you need additional guidance or expertise on how to implement any of these best practices, consult experts in the field who can partner with you to make sure you protect your organization and customers.