What Do IoT Security-Savvy Companies Know That Others Don’t?

The gap between companies that are the most security-savvy about the Internet of Things (IoT) and those that are the most security-challenged is huge, according to a recently released 2018 State of IoT Security Survey. That lack of knowledge of IoT security risks has led to costly security missteps.

Just 32 percent of top-tier companies reported making a security misstep, but every single bottom-tier company had made a few, highlighting how IoT security best practices—including authentication, encryption and integrity—impact business success.

How costly are those security missteps? Among those companies that are the most challenged by IoT security, 25 percent lost at least $34 million over the past two years, in contrast to top-tier companies.

Most of these reported losses came in five expensive areas:

• 59 percent – monetary damages
• 59 percent – lost productivity
• 43 percent – legal/compliance penalties
• 40 percent – lost reputation
• 31 percent – stock price fluctuations

The DigiCert-commissioned survey, which was conducted by ReRez Research in September 2018, involved surveying 700 organizations in five countries: the United States, the United Kingdom, Japan, France and Germany. The represented industries included healthcare, industrial commerce, consumer products and transportation.

These survey results revealed a major divide among companies. Some are doing incredibly well at tackling IoT while others are seriously struggling. Based on this, we divided these enterprises into three categories based on their expertise with IoT security.

• Top-tier companies report the fewest problems and the most mastery of IoT security.
• Middle-tier companies are squarely in between these two extremes in their reported IoT security confidence.
• Bottom-tier companies report far more problems and have more trouble mastering IoT security.

Before delving further into the differences between those success stories at the top and those in trouble at the bottom, let’s look at what the study revealed about the extent to which enterprises are prioritizing IoT, and why they’re doing it.

Why IoT?

An impressive 83 percent of survey respondents said IoT is somewhat to extremely important to their business, and 92 percent believe that IoT will be somewhat or extremely important by 2020.

[bctt tweet="IoT security missteps are extremely costly, but #IoT is becoming a key driver of business growth. Therefore, effective security measures must be put in place to avoid costly mistakes. || #IoTForAll #cybersecurity #IoTSecurity #DataQuality @kennethholley" username="iotforall"]

Enterprises have four goals in mind when they adopt IoT, according to survey respondents:

• Increase operational efficiency
• Improve the customer experience
• Grow revenue
• Gain business agility

IoT Security Confidence

While two-thirds of companies are engaged with IoT in some capacity, just a third have implemented IoT strategies across the organization, according to DigiCert’s survey. Security is, and should be, a priority for all companies developing an IoT initiative.

Most companies realize this. Security topped the list of concerns, surpassing concerns about privacy, cost and regulations. An overwhelming 82 percent said they were somewhat to extremely concerned about security challenges.

There’s a big confidence gap between top-tier and bottom-tier companies on how to meet these security challenges. Bottom-tier enterprises were 38 percent more likely than top-tier enterprises to rate a lack of appropriate IoT security-specific skillsets within their organizations as somewhat to extremely challenging.

Other statistics that illustrate this company confidence difference reveal that bottom-tier companies surveyed are:

• 27 percent more likely to find privacy challenging
• 26 percent more likely to find scalability challenging
• 17 percent more likely to find security challenging
• 17 percent more likely to find lack of standards for security in IoT challenging
• 13 percent more likely to find regulation more challenging

The popular business maxim is “change or die.” A lack of confidence can lead to inaction. It’s a serious problem because treading water, technologically speaking, does no favors for enterprises striving to innovate.

IoT Security Risks

Lacking the solid IoT security practices of top-tier companies, bottom-tier companies report more security missteps that lead to those costly losses I mentioned earlier. In the survey, we asked companies to consider any IoT security missteps their company has made within the past two years.

• More than 6 times more likely to have experienced IoT-based denial of service attacks (44 percent of bottom-tier companies versus only 7 percent of top-tier companies)
• More than 6 times likelier to have experienced unauthorized access to IoT devices (62 percent of bottom-tier companies versus 10 percent of top-tier companies)
• Nearly 6 times more likely to have experienced IoT-based data breaches (69 percent of bottom-tier companies versus 12 percent of top-tier companies)
• 5 times likelier to have experienced IoT-based malware or ransomware attacks (68 percent of bottom-tier companies versus 15 percent of top-tier companies)

The bottom-tier companies pointed to a few particularly troublesome spots. In comparison to top-tier companies, bottom-tier companies are:

As mentioned earlier, such IoT security missteps are extremely costly, with monetary damages, lost productivity, lost reputation, legal/compliance penalties and stock price fluctuations topping the list of negative consequences. In addition, 26 percent of bottom-tier companies had to pay mitigation costs, 21 percent experienced business closures, and 22 percent faced criminal prosecution.

In contrast, none of the top-tier companies had to pay mitigation costs or had business closures as a result of IoT security missteps, and much fewer experienced stock price fluctuations (16 percent), lost productivity (14 percent), monetary damages (5 percent), legal/compliance penalties (4 percent), lost reputation (3 percent) and criminal prosecution (1 percent).

IoT Security Best Practices

What do these top-tier companies know that bottom-tier companies don't? Several best practices came to light that contribute to these companies’ successes with IoT security.

Here are the five big ones:

• Review your risk so you can build a thorough IoT security plan.
• Make end-to-end encryption a product requirement so this key security feature is implemented in all your IoT projects.
• Always authenticate with digital certificates to make sure only trusted connections are being made to your IoT devices.
• Instill data integrity in your IoT devices so your devices are starting up securely every time, and over-the-air updates are secure.
• Your security framework and architecture should be scalable to support your IoT deployments.

The Key Takeaway

IoT is on everyone’s minds—and for good reason. It’s paramount for business growth. The survey indicates the most common security measures practiced by the highly successful enterprises are authentication and identity, encryption, and data integrity. The results present a strong testimony: good security practices have a real impact. These security successes are due to the following practices:

• Encrypting sensitive data
• Ensuring the integrity of data in transit
• Scaling security measures
• Securing over-the-air updates
• Securing software-based encryption key storage

Written by Mike Nelson, Vice President, IoT Security at DigiCert.