Organizations face some critical decisions as they seek to push ahead with their Internet of Things (IoT) projects. Security has topped the list of concerns in Vodafone’s IoT Barometer 2017/18 since the first Barometer in 2013. And it’s still there.
But, the results of this year’s survey suggest organizations are looking to tackle the issue head on — and are getting more optimistic; 82% say security is a critical factor in IoT decision-making. They don’t see it as a limiting factor, but rather as an enabler that gives their business the confidence to push forward.
Adopters are taking steps to get the right security skills
Adopters are investing in the skills and processes to manage IoT security effectively. According to the barometer, around three-quarters (73%) of adopters say they have adequate skills to manage IoT security. And a similar proportion (75%) say they have adequate processes to manage IoT security. Of course, that still leaves a quarter of adopters with work to do.
Even those businesses yet to roll out IoT are fairly confident in their ability to manage security — 50% of considerers believe they have the adequate skills.
Adopters have stepped up training to help manage the security risks associated with IoT. In 2016, 42% reported that they were training existing staff to improve their ability to deal with security. That’s increased to 48% in 2017. And more adopters are now recruiting IoT security specialists — 46% in 2017, compared to 41% in 2016.
Adopters are seeking help from specialists
Adopters are also increasingly working with third-party experts. The barometer states that 47% are now working with specialist security providers, up from 40% in 2016. As they roll out larger, more complex IoT programs, they’re more likely to seek the help of these specialists (55% of those with 10,000+ devices; 42% of those with under 100). 76% of adopters are confident their suppliers have the skills to mitigate IoT security risks effectively.
Security isn’t a case of once and done
Organizations need to think through all their security requirements at the beginning of a project. And it makes sense to test that the measures put in place are effective. 37% of adopters test the security of their IoT during development — it should be more.
But the task of securing IoT doesn’t end when it’s up and running. The threats organizations face from cybercriminals are constantly evolving. And so is the infrastructure you need to protect as you add more IoT devices and continue your digital transformation.
So, it’s encouraging to see that 40% of adopters are testing and scanning for vulnerabilities after launch. 75% of adopters cite security as a factor when choosing connectivity for IoT projects, making it their number one consideration.
Security isn’t a point solution — it needs to be end-to-end
When asked who bears most responsibility for ensuring data security, 43% of adopters said the platform/hosting provider, 27% the connectivity provider, 21% the systems integrator, and 20% the device user. 38% replied “us, the business”.
The point here is that most organizations think of securing data where it resides. But in practice, to keep IoT data safe, security needs to be end-to-end. Your data center or the cloud, your network and your IoT devices all need to be secure. And that means having a clear sight across your whole IoT system. Today, some organizations are struggling to achieve that — 59% of adopters say IoT devices are difficult to secure and manage in the field.
54% of adopters say the IoT data they collect has no value to a hacker. Some sensors are collecting very basic information on the state of a machine, for example.
But just because the data is of no value, that doesn’t mean you can relax your security. The breach of an IoT system could act as a stepping stone to another system — that’s a concern for 68% of adopters.
It’s worrying then that just 27% of adopters say they segment their IoT solutions from other systems — a measure that could mitigate much of this risk.
68% of adopters are concerned that a breach of an IoT system could act as a stepping stone to other systems.
The analyst view – Analysys Mason
“We have seen a shift in attitudes towards security in the past few years. Previously, security was seen as important, but was not given much prominence within an organization. Now, we are seeing security receive senior management attention. Firms have seen the damage — both financial and reputational — that security breaches can cause.
“IoT is a key part of this as it creates so many new potential points of entry into a system. For example, Target’s 2013 breach, where millions of credit card details were stolen, was traced back to hackers entering through the heating, ventilation and air conditioning (HVAC) system — essentially an IoT solution. Increasingly, firms implementing IoT solutions are asking about security early on in the project and insisting that it is built in by design.”