Internet of Things (IoT) devices of all forms are becoming a part of the norm for many business models for all kinds of organizations. The benefits of implementing IoT are probably more than we can list here. But their benefits are shared with many cybersecurity risks that many aren’t even realizing yet.
A recent report from the Ponemon Institute and the Santa Fe Group suggests that unsecured IoT devices are causing major problems for organizations nationwide.
And while this may not be totally shocking to read, the real brain-scratcher is that Ponemon reported only a mere 9% of companies are warning their employees about IoT risks. (Read 10 Steps to Strengthen Your IoT Security.)
If IDC’s forecast proves to be accurate, then there’ll be almost 41.6 billion connected things in 2025 that will generate 79.4 zettabytes of data. That’s a lot of data for cybercriminals to scope.
So how can businesses put these risks in focus and get an early jump to protect their organization?
Could a Security-by-Design (SbD) approach be the best solution to limit IoT risks in the workplace? (Read What is the difference between security architecture and security design?)
The answers to these questions are better left to the tech experts.
We wanted to consider their thoughts on the value and potential of Security-by-Design strategies and if it’s all business’ need to implement to feel protected. Here’s what they said.
5G opens up many possibilities for more Security-by-Design in IoT devices
This is a common question we receive in the cybersecurity community, and the answer is yes – mitigating IoT cybersecurity risks is best addressed in the design phase of products to ensure there are no blatant vulnerabilities. The proliferation of data breaches has caused fatigue among consumers, but companies have more to lose by taking a reactive approach to IoT security.
The adoption of 5G opens up many possibilities for more SbD in IoT devices, thanks to increased bandwidth that provides more encryption and authentication methods not previously available. 5G allows for the segmentation of data paths which is a simple way to protect IoT devices.
Pushing data processing to the edge can shorten the path from the IoT device to the collection point, reducing the exposure of data in motion.
—Ted Wagner, CISO, SAP NS2
Expect more from IoT device makers to create a secure setting
By insisting on SbD principles by manufacturers, you are ensuring that the manufacturer is repairing any security issues that they discover smartly and effectively. You can know that they are testing any problems they discover and fixing them in ways that do not cause what’s called regression.
Codebases are often polluted with security flaws simply because of design patterns – in other words, problems are duplicated simply because they’re replicated by design practices. You can avoid that when the manufacturers of your IoT devices are broad-minded with the impact of all code repairs.
Protection should be extensive but not confusing. Companies that follow SbD are also choosing security ease – avoiding software complexity in favor of simplicity. SbD means you are limiting the attack surface area to which your IoT devices are exposed – and in turn, making it easier to protect yourself.
These manufacturers also create a secure experience by default. Many platforms offer heightened security but require you, as the consumer, to know how to implement them as options within their system. By standardly including elements such as password complexity and aging, again, IoT manufacturers can better protect consumers.
These are just a few examples. The key point is that you need to expect more from IoT device makers if you want to be able to create a secure setting – and that these same expectations should apply to all hardware, software, and systems you use.
—Brian Gill, Co-Founder, Gillware Data Recovery
SbD allows organizational proactivity
Businesses are moving to the cloud, and this gives them a great reason to move to a Security-by-Design process and should be made a big priority.
SbD formalizes and automates the software and network design process at the beginning of the development process, ensuring scalability and minimizing issues as an application inevitably evolves. By not trying to put “bandaids” on after the fact, things are designed better, built better, and roles are more clearly defined. This makes testing easier and results in a better final product – not just in terms of security.
SbD is preferred because it allows businesses to build security from the start of the project versus trying to enforce security policies, playing “catch-up”, and always making security the “enemy”. The security team doesn’t need to be consulted on every single change, only significant changes. This allows each group to focus on the issues most important to each group.
The best part of SbD is when dealing with any kind of compliance issues. As anything evolves, it must be carefully reviewed to meet compliance standards. As SbD requires strict maintenance and control, it is an ideal way to meet objectives.
—Aaron S. Birnbaum, Chief Security Officer, Seron Security, LLC
SbD is absolutely the best way to limit IoT risks in the workplace, rather than trying to add security elements after the fact. For example, all accounts should come with two or even multi-factor authentication to make sure that only authorized users can access sensitive data.
Two-factor authentication involves a passcode being sent to the user’s mobile device, while multi-factor authentication includes biometrics, like fingerprint or facial recognition. (Read How Passive Biometrics Can Help in IT Data Security.)
Another cybersecurity necessity is employing password managers to make sure each account has a long, complicated, and unique password. All of the usernames and passwords will be stored in an encrypted vault, which can also store financial information, social security data, and other sensitive data.
With these measures in place from the beginning, IoT devices become much less susceptible to hacking.
—Gabe Turner, Director of Content, Security Baron
SbD shouldn’t be considered the be-all-end-all solution
A SbD approach is a critical first step in mitigating IoT cybersecurity risks in the workplace, but it shouldn’t be considered the be-all and end-all solution to maintaining proper security measures for enterprises employing the use of IoT devices as part of their everyday business operations.
In other words, business owners should never assume that “security by design” equates to “set it and forget it” when it comes to securing IoT devices and protecting the company and customer data.
As more and more IoT devices begin saturating the business environment, the attack surface continues to grow and places businesses at an ever-increasing risk of becoming the target of a cyberattack. SbD is an important piece of the puzzle, but there is quite a lot more that goes into ensuring the proper security of IoT in the workplace.
For example, ALL staff from every level in the organization must be properly trained in security best practices to ensure each employee is on the same page.
Access permissions for applicable devices should be reserved only for staff whose access is essential for their work; third-party vendors and suppliers need to be properly vetted according to their security practices. The company’s network architecture needs to be designed securely and should ideally isolate IoT devices on a separate network, and device firmware should constantly be updated to properly guard against evolving threats.
While security by design is vital, a more holistic approach to security is the way to go for businesses to more soundly protect themselves from cyber threats.
—Attila Tomaschek, Digital Privacy Expert, ProPrivacy
Database maintenance can better manage every associated digital IoT identity
Business leaders are accountable for the network-connected devices already inside the business and the risks they bring. As the number of devices in the business grows, it’s important that IT teams maintain a database to better manage every digital identity associated with connected IoT devices.
Connected devices are a significant concern for business leaders managing a company’s risk; leaders must look at IoT within their security framework as a separate entity, mapping endpoint identification, data validation, business integration, and operational agility across their business-related IoT. Clear policies should be developed and enforced across the workforce to minimize the risk of unapproved or personal devices that employees bring to work.
The reality is that IoT adoption will continue to grow, and while every new generation of IoT devices will be more robust than the last, we’re still stuck managing the legacy devices that lack security and the ability to better secure them.
—Chris Hickman, Chief Security Officer, Keyfactor
Long-term SbD investment takes security development lifecycle expertise and leadership
I’ve seen security-after-the-fact as an approach for technology over the past 25 years in security. It has only ever worked due to product failure, not because it is a resilient way to protect technology users or the data the technology relies on or generates for products or services that are actually used among a meaningful set of users or organizations.
The cost of applying security after the fact is very high and, in some cases, not possible. How does an enterprise fix a vulnerability in something like a surveillance camera if the vendor/manufacturer doesn’t address it?
Correcting vulnerabilities in IoT devices can be an extremely costly situation if the developers and manufacturers have not designed the ability to ship security improvements for released products into their product lifecycle.
So, IoT product development definitely needs to have security built into the product development lifecycle. I’ve seen firsthand how SbD can transform a technology company. It is costly (in time and resources), it requires focus and discipline, and most importantly, it takes security development lifecycle expertise and leadership willing to drive this effort as a long-term investment.
It can’t be done overnight before a product ships, it can’t be done the night before a product specification is sent to a manufacturer, it has to be done from day one.
—Aaron Turner, CEO, Hotshot