• May 25, 2016

Internet of Things: A Web of Risk?

Enterprises diving into IoT strategies are discovering a cybersecurity nightmare.

The emergence of cyberspace created the opportunity to connect in ways we would previously never have imagined. The Internet of Things (IoT) takes those opportunities to yet another previously unimagined level, creating a living, interactive nervous system. IoT technologies can sense presence and proximity, connect and analyze, and respond to the surrounding environment. With the right systems in place, IoT can even anticipate the actions and reactions in that environment.

This power is why an increasing number of enterprises are making strategic commitments to IoT technologies. But just as these breakthroughs represent unprecedented opportunity, they also expose the enterprise to whole new levels of risk.

“In a hyper-connected world where everything talks to everything, identities are extremely difficult to track,” says Andrzej Kawalec, HPE Chief Technology Officer, Security Services. “IoT dramatically expands the attack surface with devices that operate outside of traditional perimeter defenses.” And with few exceptions, each of these devices has an alarming number of vulnerabilities.

Compounding of Risk

Cyber threats are constantly escalating. Cybercrime itself is a thriving marketplace. Governments, organized crime, and radical political movements drive a robust business of theft, blackmail, and organizational espionage. Proceeds seized through successful cyber schemes are often invested in cybercrime innovation.

To this escalating threat we’re adding an expanding field of vulnerabilities. Organizations globally are aggressively pursuing IoT strategies. According to the Worldwide and Regional IoT Forecast, there will be 30 billion connected devices by 2020. Nearly every one is a potential entry point for hackers.

The reason? Connected sensing devices are generally not manufactured by technology companies. They’re produced by automobile manufacturers, health care providers, or utilities, for example. Software development life cycles and security are not an important component of the engineering process.

Yet these device manufacturers realize that if they don’t prioritize connectivity, they won’t survive in this digital environment. Compounding these vulnerabilities is that the lifespan of traditional manufactured goods and technology devices diverge dramatically. Digital devices often have lifespans as short as 20 months. Compare that to traditional manufactured goods (cars, televisions, appliances) whose lifespans often extend more than a decade.

For example, this means the digital components in a connected car will age at a much faster rate than the car itself. And each obsolete technology component with outdated firmware introduces a whole range of security vulnerabilities.

Consumer Thrust

IoT is largely driven by the massive consumer adoption of technology. A few years ago the average home had perhaps three connected devices. Today, it may have as many as 30—from laptops, printers, and smartphones to televisions, thermostats, and refrigerators. Devices such as home routers and baby monitors are a rat’s nest of security flaws.

“As individuals, we are really, really bad at assessing risk,” says Kawalec. “Risk perception is shaped largely by unconscious emotional processes to the extent that we have a very personal risk appetite shaped by the probability of ‘something bad happening.’ We need to build the link between a digital action and the cyber risk—for example, passwords. We aren’t smart with passwords—’123456′ and ‘password’ were the most used passwords in 2015, and 95 percent of users freely share as many as six of their passwords with others.”

And with the lines between work and leisure blurring, holes in home networks can easily expose confidential enterprise information.

Securing the Edge

To protect against IoT vulnerabilities, enterprises should include security audits with any IoT strategy. Steer clear of IoT device manufacturers that don’t bake security into their devices and processes from the start. In addition, ensure that customers, suppliers, and partners adhere to the same security standards you do.

But many of these persistent vulnerabilities won’t dissipate until device companies recognize that releasing insecure products degrades their brand and exposes them to organizational risk. Consumers can add pressure by basing technology-buying decisions on security.

IoT represents perhaps the greatest opportunity and the most profound disruption our market and social environment will ever face. With a keen focus on security, we can ensure its value-rich future.

Like this story? Read more about IoT security in The Economist Intelligence Unit’s report, Securing the internet of things.