By David Yates, Guavus, A Thales Company
The “Internet of Things” (IoT) is here. Manufacturers across industries are reinventing consumer products—from refrigerators to thermostats—by incorporating smart, connected capabilities to capitalize on the global IoT market. IoT is growing exponentially; experts forecast upwards of 50 billion connected devices by 2020. The industry estimates that 8.4 billion connected things will be in use worldwide in 2017, up 31 percent from 2016. Total spending on endpoints and services will reach almost $2 trillion in 2017. While consumers purchase more devices, businesses spend more. In 2017, in terms of hardware spending, the use of connected things among businesses will drive $964 billion.
These businesses hope to ride the IoT wave to achieve competitive differentiation, cultivate additional revenue streams, deliver new monitoring capabilities that will transform maintenance services, and/or enhance and personalize the customer experience. Yet in the race to accelerate time-to-market for these next-generation products, many companies are giving short shrift to IoT-specific security challenges. IoT security concerns are comparable to enterprise IT concerns but complicated by scale, given the sheer number and variety of endpoints. Too often, organizations fail to account for security considerations during initial product development and test cycles. Alternatively, they opt to release IoT-enabled products quickly, only to address security issues after the fact. Both scenarios set the stage for possible breaches that can impact a company’s brand reputation and bottom line.
Concerns about IoT security are escalating as the number of IoT-enabled products multiplies. Experts have raised the possibility that any device connected to the Internet is at risk for hijacking. They underscore the unique security challenges of IoT, specifically that the small size and limited processing power of connected devices could impede encryption and other robust security measures.
It’s not just about the “things” under ownership or allowed to connect to the network. Imagine a situation where a flaw in a common network connected device was used to launch a Distributed Denial of Service (DDoS) attack—there have already been cases of home cable modems being used in botnets. This means systems may be affected by the insecurity of “things” in general. Similarly, if “things” are designed insecurely and have no mechanism for patching, they can act as a pool of malware capable of attacking other systems. So, the security of IoT is a concern for the entire Internet community, not just device owners. Those devices can affect the entire community, making for a common interest in the fundamental security of them.
Experts advise organizations to start building consumer trust in IoT devices by prioritizing security and by adopting “security by design” practices that integrate security capabilities at the earliest stages of product design. However, companies are still a long way from instituting security-by-design best practices. Most firms in the planning stages of IoT product development remain focused on connectivity, although organizations that have already released IoT-enabled products are grappling with more complex issues, including security.
Given the scope of possible issues, it’s increasingly clear that any business entering the IoT fray needs to consider security at the outset, not after the journey is underway.