Gartner predicts that 20.8 billion internet-connected devices, also known as internet of things (IoT), will be in use worldwide by 2020. That is a 14.1 billion increase from 2016. This has the potential to drive an economic boost in the range of $4 trillion to $11 trillion annually by 2025, according to The McKinsey Global Institute. While the rapid growth of IoT will be an economic advantage, a world where anything from a pacemaker to a toaster oven that’s connected to the internet will also create unforeseen security risks.
Not surprisingly, the increase in IoT adoption and data generated by connected devices have led to a surge in IoT security breaches. A 2017 Altman Vilandrie & Company survey of 397 IT executives across 19 industries showed that 48% of organizations have experienced at least one IoT security breach. The survey also states that these breaches cost smaller companies as much as 13% of their annual revenue, and for firms with over $2 billion in revenues, the cost could reach more than $20 million.
The healthcare industry, as a prominent beneficiary of IoT, has seen a severe increase in medical device hackings. According to Wired.com, since 2014, the healthcare industry has been hacked more frequently than even the oft-targeted financial sector. They are an easy target due to the large number of medical devices connected to the internet. Cyber criminals have access to remotely disrupt life-saving IoT devices like insulin pumps and pacemakers. Medical devices connect to a huge array of sensors and monitors, making them potential entry points to larger hospital networks. This leaves medical records vulnerable to theft or ransomware attack.
The FDA encourages medical device manufacturers to detect and monitor the risk of vulnerabilities within devices. Manufacturers will need to work closer with cybersecurity professionals and researchers to fix any major vulnerabilities before they become a problem.
Companies, especially in the healthcare industry, need to reconsider how they spend their IoT budget to better protect their data. A 2016 study by Bain.com, surveyed more than 650 IoT executives and found that, due to the increasing influx of data, cloud service providers will be one of the main IoT expenditures considered in coming years. All of that new information will need to be collected and analyzed, a task that can easily outstrip IT’s own in-house server capacity. Cloud functions as the equivalent of a big data center and will allow IT to host and store the massive increase of data heralded by IoT.
IT professionals need to take proactive steps to prevent data loss. IoT has limitless capabilities ushering industry-wide innovation, but security should be a critical part of the design and development of the hardware and software. Efforts to diminish these security risks will aid in the wider adoption of IoT. Cloud Security Alliance wrote a white-paper in 2015 that includes helpful best practices for protecting IoT data:
- Data loss prevention (DLP) software has been a critical and widely used security solution to prevent data loss via traditional vectors such as email and endpoint, and more recently, has been extended to data stored in cloud applications. Most IoT devices are expected to collect and transfer vast amounts of information. DLP provides assurance that sensitive data is not distributed outside of the designated user base, cloud service, or network. DLP planning should be conducted early in the deployment and should include creating an inventory of the types of sensitive data collected, then classifying them based on level of sensitivity and compliance requirements.
- To protect data on the device and in transit, end-to-end encryption should be used. For every device, a unique cryptographic key must be generated which will be linked to a pre-registered security authority. Cryptographic implementations used in IoT devices should undergo crypto algorithm validation testing, and possibly crypto module conformance testing through validation testing schemes.
- Device security is another crucial area when considering your IoT security posture. Even when devices aren’t storing sensitive data, they should still be hardened against intrusions and botnet attacks. This is because internet-connected devices are notorious for their hackability, which was highlighted when the Domain Name System (DNS) service provider, Dyn fell victim to a massive DDoS attack originating from thousands of internet-connected devices such as hacked CCTV cameras and digital video recording (DVR) devices.
- Establishment of standardized APIs between data analytics platforms and security information and event management (SIEM) solutions would provide the ability to capture a complete view of an organization’s IoT implementations. Adjusting data analytics systems to identify potential security events and feed those filtered output to a SIEM could add significant security value.
About the Author
Categories: Cloud Security