Gartner: Makers of things for Internet of Things undervalue security

Gartner says that vendors making devices for the Internet of Things put user friendliness and time to market ahead of security.

As the Internet of Things develops, most vendors that are making these things don't make security their top priority, allowing business considerations to take precedent, according to a Gartner expert.

"Some of the leading vendors that are developing products are making some effort to address security concerns, but Gartner believes the majority aren't at this stage -- convenience, user friendliness, time-to-market all win out over security at this point," says Earl Perkins, a research vice president at Gartner.

Makers of components for these devices often do address security as evidenced by ARM buying up software security firm Offspark this week so it can put TLS encryption right inside ARM's mbed operating system.

"Gartner views this acquisition as indicative of a general trend in the industry by companies previously concerned about chipsets and firmware now recognizing that software-defined security will play an increased role in their future sales," he says.

"More such purchases by such vendors will occur this year. While not at liberty to go into much detail regarding specific vendors due to the ongoing, early nature of their development, you already see this in prominent vendors such as Intel, who began this journey years ago and has completed several acquisitions to build out their portfolio for IoT application development and security."

But too often that doesn't carry over into the products those components go into. Because builders of devices might not be as security conscious as component manufacturers, customers need to carefully evaluate on their own the security of the products they do buy and see that they don't have weaknesses similar to those that plagued mainframe-to-client, client-to-web, web-to-mobile and cloud architectures in their formative stages, he says. "Raising the level of awareness among enterprise user and consumer alike so that they demand that IoT security not be a repeat of past performances," Perkins says.

Earl Perkins, a research vice president at Gartner

HP studied consumer devices built for the IoT and concluded they lack important security measures. A study done last year looked at 10 of the most popular devices, and a second study, just released, of 10 of the newest home security systems both found security lacking. HP didn't name what devices it looked at in either study.

The best advice HP could offer enterprise customers is to partition IoT devices from the rest of the network so if they are compromised damage can be contained and to turn on security features that might not be activated by default. These could include boosting password strength, locking accounts after a certain number of failed login tries and requiring two-factor authentication, HP says.

This is of such a concern that HP sponsors a study group called the Internet of Things Top Ten within the Open Web Application Security Project (OWASP) to raise awareness about security issues customers should weigh when building, assessing and deploying IoT devices.

The group has formulated a list of the top 10 security problems facing IoT devices, and how to prevent them. The list of problems includes insecure Web interfaces, weak authentication, limited security configurability, buggy software and firmware, and insecure cloud and mobile interfaces as well as transport-layer security.

The need to shore up IoT gear will get increasingly urgent as a majority of businesses come to rely on it for profitability, according to a Gartner survey conducted last month. Of 463 Gartner business clients polled, 63% say that within five years the IoT will either transform their businesses entirely or enable significant new revenues or cost savings.

Manufacturing and retail businesses will be affected most by the IoT, with government, education, banking and insurance being least affected, Gartner says.

Perkins says component makers will address security of their products, makers of devices will have a different set of security concerns and providers that use these devices to deliver services will have yet another set of priorities. "As you move through the supply chain to the consumer or enterprise user, each will have their set of security requirements," he says. "I would like to think all of them know their role in delivering end-to-end cybersecurity, but alas, that is the exception rather than the rule."

Join the CSO newsletter!

Error: Please check your email address.

Tags Gartnersecurityintel

More about ARMGartnerHPIntel

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place