Let’s begin with some statistics. By 2020, says a study, there will be 20.4 billion ‘connected things’ across the world. Through 2022, says another study, half of all security budgets for the Internet of Things (IoT) will go to fault remediation, recalls and safety failures rather than protection.
In our relentless hunger for smarter, connected devices – smart phones, smart watches, smart cars, smart speakers, smart thermostats, smart door locks, and what have you – are we compromising on the security aspect? Research has found that many IoT-based baby monitors can be easily hacked and used to remotely view live feeds and control the monitor. Similarly, the motion sensors embedded in smart watches can be used to steal information, just as health data can be lifted from fitness apps. For enterprises, these security gaps are a huge risk.
Unlike traditional network security, IoT presents a plethora of new challenges vis-à-vis security. Essentially, as the communication protocols, standards and device capabilities are much wider, the complexity of the issue increases exponentially. Here’s looking at the top 10 security challenges in the IoT ecosystem:
1. More isn’t merrier
As the number of devices behind a network’s firewall increases, security becomes a trickier proposition. The more the devices, operating systems, protocols and endpoints, the more the pathways into the network. In other words, the attack surface increases substantially.
Moreover, network administrators have to deal with different vendors and different generations of devices that come with varied capabilities. Imagine keeping pace with the status of myriad sensors, cameras, controllers and other devices within an organization! Even seemingly innocuous devices, like security cameras, can become a security threat. Enterprises have to think beyond the firewall.
2. Open network challenge
What makes IoT such an incredible technology is its seamless information sharing and collaboration capabilities. Open network architectures make that possible. However, it’s this very nature of IoT’s network that poses the biggest threat to security. Devices are being compromised remotely and turned into zombies to launch massive distributed denial-of-service (DdoS) attacks. Enterprises need to re-evaluate their security policies and procedures to ensure that IoT-enabled devices aren’t open to cyber threats.
3. Settings & updates
In most cases, IoT devices use default accounts and passwords, making them easy targets for hackers. Is it possible to securely authenticate each device relying on a password? What’s more, data pathways between IoT devices are not always secure.
Enterprises deploying off-the-shelf IoT devices are not always aware of the level of network access the devices have, or the level of maturity the organization that built the device has in terms of information security. A majority of tech companies are guilty of not updating their devices periodically. Enterprises on the other hand are busy adding new devices that still don’t have any security designed into them, to their ever-growing IoT network.
4. Matter of physical security
Unlike computer servers, IoT servers are, typically, not in access-restricted machine rooms. So, physical security is an oft ignored, yet serious, concern. What if someone tampers with a device? Can the IT department detect the problem and remedy the situation? Enterprises don’t yet have fool-proof answers.
5. Not all ‘things’ are equal
Security takes computing power, and many ‘things’ on the IoT network are designed for low power consumption with limited connectivity. The inadequate processing capacity and memory are huge deterrents when it comes to security measures, like encryption. In other words, not all IoT devices have the required bandwidth, power, storage and computing ability to make them truly secure.
6. BYOD threat
The ‘Bring Your Own Device’ (BYOD) movement is believed to help improve work-life balance and increase productivity. However, with employees bringing their own mobile devices – laptops, tablets, and smartphones – to work, enterprises have new-fangled security battles to fight. How can they authenticate who you are communicating with and verify the same with confidence? How can they ensure that the security of your personal device is not compromised, which in turn could put their own networks at risk?
7. Risk management
When an IoT device is compromised – as they often are – can the enterprise identify what really went wrong? Can the IT department ensure that the entire network doesn’t come down because of a single point of failure?
IoT calls for a sophisticated approach to risk management. Experts believe that IoT security analytics will be the game changer. However, in the absence of standardization of security protocols and broad network security policies, the ground realities are far from encouraging.
8. Who’ll bell the cat?
Nobody is quite willing to accept responsibility for the security of ‘things’ in the IoT ecosystem. There’s a constant blame game between manufacturers of the device and companies that provide service through the device. Naturally, the legal implications of IoT security breaches are still uncertain.
9. Privacy pangs
When we think of IoT security, we mostly think of hackers getting their hands on our precious data. But what about companies distributing fitness trackers to their employees so that they can track employee health and thus get lower health insurance premiums? What about companies selling sensitive enterprise data to other companies? Are we ready to risk it?
Worldwide, privacy violations emerging from IoT-related initiatives are becoming more common. Without strong privacy controls, especially for data at rest, the price we pay for the blend of our physical and digital domains may be too high.
10. In the thick of competition
The competition in the IoT space is so ruthless that vendors are rushing products to the market, with security often added as an afterthought (if at all) rather than being built-in from the start. Speed of delivery and low cost are more important than robust security and thorough testing. It doesn’t help that, currently, IoT devices lack a common set of compliance requirements.
It’s true that IoT devices offer exciting opportunities to improve customer satisfaction and engagement. However, they also introduce new security challenges. Which is not just about tapping billions of devices, but also different operating systems, networks, and protocols.
Enterprises need to have robust security measures in place as well as a comprehensive security strategy – which is periodically reviewed. As the technology is still developing, security in IoT is likely to be a complicated affair. At least, for a while.
Do you have questions on IoT? We can answer them. Write to firstname.lastname@example.org.