October 14, 2015 - Is the Internet of Things safe? A new survey from global cyber security association ISACA suggests a major confidence gap about the security of connected devices between the average consumer and cyber security and information technology professionals.
According to the consumer segment of ISACA's 2015 IT Risk/Reward Barometer, 64 percent of US consumers are confident they can control the security on the Internet of Things (IoT) devices they own. Yet according to more than 7,000 global IT and cyber security professionals who responded to a parallel survey, only 22 percent feel this same confidence about controlling who has access to information collected by IoT devices in their homes.
Consumers in the UK, India, Australia and Mexico are similarly confident in their cyber self-defense skills, and the majority consider themselves knowledgeable or very knowledgeable about the IoT. This number ranges from 95 percent of Indian consumers to 76 percent of UK consumers. The global average estimated number of Internet of Things devices in the home was six. Smart TVs topped the list of most wanted connected device to buy in the next 12 months, with wearable devices, such as smart watches and fitness trackers, also highly ranked.
The Hidden Internet of Things
ISACA’s survey of global IT and cybersecurity professionals depicts an IoT that flies below the radar of many IT organizations—an invisible risk that survey respondents believe is underestimated and under-secured:
- Nearly half believe their IT department is not aware of all of their organization’s connected devices (e.g., connected thermostats, TVs, fire alarms, cars)
- 73 percent estimate the likelihood of an organization being hacked through an IoT device is medium or high
- 63 percent think that the increasing use of IoT devices in the workplace has decreased employee privacy
The IoT for business-to-business use alone is expected to expand from 1.2 billion devices in 2015 to 5.4 billion connected devices worldwide by 2020, according to one estimate.*
“In the hidden Internet of Things, it is not just connectivity that is invisible. What is also invisible are the countless entry points that cyber attackers can use to access personal information and corporate data,” said Christos Dimitriadis, Ph.D., CISA, CISM, CRISC, international president of ISACA, group director of Information Security for INTRALOT. “The rapid spread of connected devices is outpacing an organization’s ability to manage it and to safeguard company and employee data.”
However, the business risk of not embracing the IoT and falling behind competitors may well outweigh any potential cost of a cyberattack, noted Dimitriadis. He added that organizations need to manage the risk to achieve the most benefit.
According to global cyber security and IT professionals surveyed, device manufacturers are falling short. Seventy-two percent say they do not believe that manufacturers are implementing sufficient security measures in IoT devices. A nearly equal proportion (73 percent) don’t think current security standards sufficiently address the IoT and believe that updates and/or new standards are needed. Privacy is also an issue; 84 percent believe that device makers don’t make consumers sufficiently aware of the type of information the devices can collect.
ISACA’s consumer research suggests that consumers are likely to value businesses that can demonstrate their expertise in and commitment to cyber security best practices: globally, the majority of consumers say it is important that data security professionals hold a cyber security certification if they work at organizations with access to the consumers’ personal information (US 89 percent, Australia 93 percent, India 96 percent, Mexico 98 percent, UK 90 percent).
“Device manufacturers should lead the charge on adopting an industry-wide security standard that addresses IoT security, and put in place rigorous security governance and professional development for their cyber security employees. ISACA’s research shows a direct connection between positive customer sentiment and companies that can demonstrate security credentials,” said Robert Clyde, CISM, international vice president of ISACA and managing director of Clyde Consulting LLC.
Ways for Enterprises to Maintain a Cyber-Secure Workplace
- Safely embrace IoT devices in the workplace to keep competitive advantage
- Ensure all workplace devices owned by organization are updated regularly with security upgrades
- Require all devices be wirelessly connected through the workplace guest network, rather than internal network
- Provide cyber security training for all employees to demonstrate their awareness of best practices of cyber security and the different types of cyberattacks
Best Practices for Manufacturers of IoT Devices
- Require all developers who build software to have appropriate performance-based cyber security certification, to ensure safe coding practices are being followed
- Insist all social media sharing be opt-in
- Encrypt all sensitive information, especially when connecting to Bluetooth-enabled devices
- Build IoT devices that can be automatically updated with new security upgrades
ISACA established Cybersecurity Nexus (CSX) to help organizations develop their cyber security workforce and help individuals advance their cyber security careers. For information on CSX, including the CSX 2015 cyber security conference and the new CSX Practitioner certification, visit https://cybersecurity.isaca..