Nearly half of businesses have no way to detect whether their Internet of Things (IoT) devices have been breached by outsiders, according to a new global study that found respondents are looking to government bodies to establish and enforce stronger IoT security guidelines.
Despite growing investment in IoT security and management platforms, some 48 percent of the 950 IT and business decision-makers involved with the Gemalto-Vanson Bourne State of IoT Security report said they were unable to detect a breach of any of their IoT devices.
Australian companies were particularly weak in this area, with just 37 percent of Australian respondents saying they could detect an IoT breach – well behind respondents in India (67 percent), Brazil (65 percent), Germany (54 percent), the US (52 percent), and the UK (42 percent).
With half of respondents using third-party IoT devices and a third using IoT devices of their own design, this translates into a high degree of opacity that could have direct implications on overall data security and network protections – particularly with 53 percent using IoT-enabled devices to improve external communication channels, 51 percent using them for customer benefits, and 47 percent leveraging them to develop new business models.
The security of these initiatives has significant implications for companies’ ability to comply with data-protection mandates such as Australia’s Notifiable Data Breaches (NDB) legislation and the EU general data protection regulation (GDPR), with IoT devices seen as more of a threat to data privacy than even the risk of hackers taking control of devices and personal data.
Some 14 percent of respondents believe IoT security is an ethical responsibility to their customers, with 48 percent agreeing that it is a big issue for those customers and 97 percent seeing a strong approach to IoT security as a key competitive differentiator.
Average spending on IoT security had increased from 11.07 percent of IoT spending in 2017 to 13.15 percent in 2018.
Encrypting data traversing IoT devices was one potential tool, although Australian companies were less diligent at such investments: just 57 percent of Australian companies said they were encrypting all of the data they capture or store using IoT devices – compared with 67 percent in the US, 66 percent in Brazil, 64 percent in the Middle East, and 59 percent in Germany.
The implications of continued poor IoT security on companies’ regulatory compliance has led many businesses to look to government for closer involvement in the effort to improve IoT security: 79 percent of respondents called on governments to lay down more robust frameworks.
“Given the increase in the number of IoT-enabled devices, it’s extremely worrying to see that businesses still can’t detect if they have been breached,” Jason Hart, CTO for Data Protection with Gemalto, said in a statement.
“With no consistent regulation guiding the industry, it’s no surprise the threats – and, in turn, vulnerability of businesses – are increasing. This will only continue unless governments step in now to help industry avoid losing control.”
Widespread concerns over IoT security have driven a wave of concern across the enterprise space, particularly on the back of findings such as those of a recent project in which researchers were able to discover passwords for 16 tested IoT devices within 30 minutes.
Recognising a substantial market opportunity as well as a pressing security need, industry players have been working hard to bolster their IoT security practices and technologies to become more proactive and effective.
The figures reinforce earlier findings such as those of a recent Trend Micro survey that found 86 percent of 1150 respondents believe their organisation needs to improve its awareness of IoT threats. Fortinet, for one, recently released a network access control that applies network segmentation techniques to secure IoT devices.
“Businesses are clearly feeling the pressure of protecting the growing amount of data they collect and store,” Hart said. “But while it’s positive they are attempting to address that by investing in more security, such as blockchain, they need direct guidance to ensure they’re not leaving themselves exposed.”