It’s now very much in vogue to stick sensors and processors in just about every new device being rolled out—even your shoes aren’t safe. This ever-expanding use of IoT to deliver solutions means that security teams can no longer ignore a single, unprotected device. McKinsey predicts that IoT coverage will expand 15% to 20% through 2020, and even more beyond that, generating $11.1 trillion (US) each year by 2025; the available surface area for cyberattacks is only getting bigger.
While we hear about the benefits of the internet of things (IoT), cloud, and edge computing, we aren’t paying enough attention to the expanding computing landscape that information security professionals are duty-bound to protect.
The reality is that the chief information security officers’ (CISO) teams will have to influence their enterprise’s IoT strategy to ensure that cybersecurity capabilities can secure this burgeoning network of connected devices. Otherwise, expect to be hauled in front of the board to explain why the business has another costly security breach and all the associated infringements to address.
The disparity between attackers and defenders, when it comes to cybersecurity, is already vast: a hacker looking to infiltrate a system only needs a single point of weakness, while a cyber-defender must ensure the security of the entire network. Cyber-defenders must also address the threat of their defense protocols being “poisoned.”
The World Economic Forum names cyberattacks as the biggest concern facing businesses in advanced economies. And with the increasing presence of the IoT comes an increased surface area for cyberattack potential. The IoT now means that single points of weakness created by consumers or companies cheaping-out on cybersecurity will allow attackers to access entire networks. Consider the example of not installing security on your home laptop—what happens when you connect that laptop to every part of your home, your life, and the lives of everyone you know?
One of five “new for 2019” cybersecurity threats put forward by the MIT Technology Review is the threat of attacks directly from the cloud—made even more vulnerable by cloud-connected IoT and 5G rollouts.
If your enterprise doesn’t act now to ensure the protection of its current and emerging ecosystems, you may find yourself suddenly forced by the government into a financially burdensome, time-intensive, panic-ridden upgrade. We’ve seen it before—and with increased scope and powers. Just look at the chaos GDPR brought to some businesses.
In a future with strong regulatory frameworks in place, CISOs will be forced into securing their networks, but device-level protocols must also be standardized. Cue an inspirational quote about “only being as strong as your weakest link.” The scale of the cyber-threat the IoT makes possible means that consumers and enterprises must not have the option of being that weak link. Historically, cybersecurity has been in its own silo; this cannot continue—cybersecurity must become an integral part of any digital transformation.
Early movements toward this regulatory future have begun. The US’ IoT Cybersecurity Improvement Act of 2017 leverages the government’s procurement strength to ensure the security of its purchased IoT devices meets a particular standard. The Federal Trade Commission introduced IoT security parameters when white-hat (“ethical”) hackers showed how easy it was to take control of a Jeep in 2015. The UK government also released guidance (guidance is very much the key word) in 2018: a “Minimum Cyber Security Standard.” We emphasize the need to act now before this “guidance” becomes mandatory.
We can go straight to the source of many IoT devices to get a sense of how this need is emerging:
“As IoT scales, security is no longer optional as users need to know and trust their data is safe across connected devices—but security must be a shared responsibility.”
—Paul Williamson, Vice President and General Manager, IoT Device IP, Arm
Enterprises must ensure that cybersecurity measures are not just tick-boxes. Complementary health checks should be in place alongside ongoing threat analysis (AI may find a use in this regard). Enterprises must ensure the awareness and re-skilling of employees along with their capability to identify and respond to an attack.
While large enterprises have the most to lose, startups might also suffer dearly from these kinds of regulations. As security costs climb and hit startups hard, technological advances may stall, and partnerships within the cybersecurity ecosystem will become critical for all involved.
Ever-improving cybersecurity comes as a double-edged sword—hacking capabilities will only move in one direction. Enterprises must be vigilant, even after meeting minimum regulatory standards, to manage ever-changing vulnerabilities. Third-party risks will play a big role and enterprises will require additional standards and certifications to ensure adequate cybersecurity on the side of suppliers and customers. We must not create single points of weakness as we all move toward the hopes and hazards of the hyperconnected economy.
Register now for immediate access of HFS' research, data and forward looking trends.
Get StartedIf you don't have an account, Register here |
With the exception of our Horizons reports, most of our research is available for free on our website. Sign up for a free account and start realizing the power of insights now.
Our premium subscription gives enterprise clients access to our complete library of proprietary research, direct access to our industry analysts, and other benefits.
Contact us at [email protected] for more information on premium access.
If you are looking for help getting in touch with someone from HFS, please click the chat button to the bottom right of your screen to start a conversation with a member of our team.
