73 percent say existing security standards in the industry do not sufficiently address IoT.
London, UK (14 October 2015)— A new survey of more than 7,000 IT professionals from global cybersecurity association ISACA suggests that a lack of clarity and standards around Internet of Things (IoT) security is leading to a lack of confidence.
According to the UK IT professionals surveyed for ISACA’s 2015 IT Risk/Reward Barometer, 75 percent of the security experts polled say they do not believe device manufacturers are implementing sufficient security measures in IoT devices, and a further 73 percent say existing security standards in the industry do not sufficiently address IoT specific security concerns. Combined with the assertion from 56 percent of respondents that their organisation’s IT department is not aware of all of its connected devices (e.g., connected thermostats, TVs, fire alarms, cars, etc.) these figures demonstrate significant risk.
The worldwide IoT is expected to expand from 1.2 billion devices in 2015 to 5.4 billion connected devices by 2020, according to one estimate.*
“With the explosion in popularity and hype around the Internet of Things, it is proving difficult for manufacturers and organisations to keep up with the clear realities and implications for security the IoT represents. What is being created, along with the physical object like a thermostat, smartwatch or connected alarm system, are the countless entry points that cyber attackers can use to access personal information and corporate data,” said Ramsés Gallego, past international vice president of ISACA. “The rapid spread of connected devices is outpacing an organisation’s ability to manage it and to safeguard company and employee data. We need to change that so we can reap the many benefits of the IoT.”
Forty-one percent of the IT professionals surveyed say the most significant security concern for enterprises related to the IoT lies in device vulnerabilities, and there is a good chance of a company being hacked through an IoT device (64 percent put the risk likelihood at medium/high). With 62 percent expecting a cyberattack in the next 12 months, and only 51 percent confident they are prepared for such an event, the responses raise questions about how organisations can achieve the many benefits of IoT while managing the risk—particularly since 68 percent of UK IT professionals say organisations of all sizes are equally at risk.
However, there is good news too. Thirty-four percent say they have achieved greater access to information as a result of the IoT, and 29 percent say IoT has improved services at their organisation. The survey report notes that business risk of not embracing the IoT and falling behind competitors may well outweigh any potential cost of a cyberattack, and organisations need to manage the risk to achieve the most benefit.
Recognising that changes in a company’s security architecture is not an easy or speedy process, the advice given as the best way to protect crucial data against threats is simple: Avoid storing sensitive or classified data on the device. This took clear preference over other recommendations, as seen below from the UK and global experts (global data in brackets):
- Avoid storing sensitive or classified data on the device(s): 43% (45%)
- Change privacy settings: 17% (15%)
- Turn off Internet-enabled functions when not actively in use: 14% (15%)
- Change passwords: 14% (11%)
- Avoid using or logging into public Wi-Fi access points: 7% (10%)
- Other: 5% (4%)
ISACA has this advice on ways for enterprises to maintain a cyber-secure workplace:
- Safely embrace IoT devices in the workplace to keep competitive advantage.
- Ensure all workplace devices owned by organisation are updated regularly with security upgrades.
- Require all devices be wirelessly connected through the workplace guest network, rather than internal network.
- Provide cyber security training for all employees to demonstrate their awareness of best practices of cyber security and the different types of cyberattacks.
The organisation also has compiled a set of tips for device manufacturers to add security to their products:
- Require all developers who build software to have appropriate performance-based cyber security certification, to ensure safe coding practices are being followed.
- Insist all social media sharing be opt-in.
- Encrypt all sensitive information, especially when connecting to Bluetooth-enabled devices.
- Build IoT devices that can be automatically updated with new security upgrades.
ISACA established Cybersecurity Nexus (CSX) to help organisations develop their cybersecurity workforce and help individuals advance their cybersecurity careers. For information on CSX, including the CSX 2015 cybersecurity conference and the new CSX Practitioner certification, visit https://cybersecurity.isaca.org.
About the Risk/Reward Barometer
The annual IT Risk/Reward Barometer is a global indicator of trust in information. Conducted by ISACA, the Barometer polls thousands of IT and cybersecurity professionals and consumers worldwide to uncover attitudes and behaviors about essential technologies and information, and the trade-offs people make to balance risk and reward. The study is based on online polling of 7,016 ISACA members in 140 countries from 27 August to 8 September 2015. Additional online surveys were fielded by M/A/R/C Research among 1,227 consumers in the US, 1,025 consumers in the UK, 1,060 consumers in Australia, 1,027 consumers in India and 1,057 consumers in Mexico. The US survey ran 17-20 August 2015, and the UK, Australia, India and Mexico surveys ran 21-30 August 2015. At a 95 percent confidence level, the margin of error for each individual country sample is +/- 3.1 percent. To see the full results, visit www.isaca.org/risk-reward-barometer.
ISACA (isaca.org) helps global professionals lead, adapt and assure trust in an evolving digital world by offering innovative and world-class knowledge, standards, networking, credentialing and career development. Established in 1969, ISACA is a global nonprofit association of 140,000 professionals in 180 countries. ISACA also offers the Cybersecurity Nexus (CSX), a holistic cybersecurity resource, and COBIT, a business framework to govern enterprise technology.
ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Kristen Kessinger, +1.847.660.5512, firstname.lastname@example.org
Karl O’Doherty, +44 20 7611 3885, email@example.com
* ABI Research for Verizon, 2015. http://www.verizonenterprise.com/state-of-the-market-internet-of-things/