How Secure Are IoT Solutions, Really?

The Internet of Things is growing. The installed base of connected devices is set to expand at a rate of 15–20% every year through 2020. But one thing may remain unchanged.

IoT security challenges are at the top of people’s concerns when it comes to implementing the Internet of Things in business settings.

Those waiting to open their wallets to IoT likely have events from late 2016 fresh in their memory. That October, the Mirai botnet enacted a distributed denial of service (DDoS) attack, infecting computers with malware that crashed websites across Europe and the US through high levels of artificially generated web traffic.

This botnet was unique because it lived amongst devices connected by the Internet of Things. It’s likely the first of its kind, living in everything from DVRs to DSLRs. The attack was carried out across 100,000 malicious endpoints which explains the widespread ramifications of the attack. It’s estimated that the resulting economic damage was about $110 million.

How the Benefits of IoT May Are Accompanied by Risk

The Mirai attack did not involve a network breach. Rather, weaknesses in security were discovered by software programmed to target devices that were secured only by their factory default passwords.

Everyday, objects with new smart, connective capabilities — from lamps to kitchen appliances and watches — are available to more people who don’t think twice about resetting passwords for everyday items in their homes. The unprecedented connectivity of IoT means that the task of maintaining secure digital infrastructures to overcome IoT security challenges is only becoming more complex.

Entire economies are put at risk as opportunities for attack expand at the same rate as applications of IoT become more pervasive in business environments and in consumers’ homes.

Businesses are drawn to the Internet of Things as an effective tool for gathering data that spurs innovation. But the inherent unprecedented connectivity promised by IoT makes standardization and regulation of privacy and data security more important to protecting for businesses and consumers alike going forward.

From hardware to network security, companies that leverage IoT in internal or client-facing software solutions need to devote the resources necessary to ensure a uniformd and end-to-end approach to accounting for IoT security challenges in their digital environments.

What it Takes to Overcome IoT Security Challenges

Simply following security best practices is actually an effective way to create a cohesive strategy to overcome IoT security challenges and can scale alongside a growing IoT solution.

Constant security monitoring should involve analysis of code quality on individual devices and the network portals that connect them, delineate user authentications and ownership of endpoints, as well as the protocols used to secure the data they generate.

It’s not necessary to reinvent the wheel when securing IoT solutions. In fact, responding to IoT security challenges is not unlike strategies already familiar to IT teams. Security in IoT demands a doubling down on common security protocols, a commitment to riding the wave of evolving industry standards, and the proper bandwidth to work with third parties services to verify that the systems in place work.

Comply with Regulatory Standards

• PCI DSS
• ISO 270001
• SOC 2
• HIPAA

Leverage Existing Protocols

• HTTPS
• MQTT

Control Access

• Mutual Authentication
• Multi-factor authentication

Companies May Need to Pave the Way to Better Security Standards IoT

From connected parking lots to car washes, novel uses of IoT mean that security standards can be immature, or in some cases, absent. Understandably, many business leaders are not comfortable with the risk entailed or capital required in paving the way towards standardizing methods that address and overcome IoT security challenges specific to their industries.

But putting security at the forefront of IoT projects can differentiate businesses in positive ways.

An IoT product of system that wins the security game represents a competitive advantage for the company responsible for the solution. Security is a service for which people will increasingly be eager to pay. Amazon dominates 40% of the IaaS and PaaS market, and there’s little doubt that its security-first approach has something to do with it.

As long as standards for security and privacy are conceived of as nascent, businesses and service providers can distinguish themselves by developing IoT solutions within highly regulated verticals.

Will Businesses Share the Burden of Solving IoT Security Challenges?

But formal efforts are being made to address the new challenge posed by securing expansive and intricate IoT solutions. Less than a year since the attack, new legislation seeks to bring regulation up to speed with security gaps created in the wake of rapidly evolving technologies.

In late summer 2017, a bill was introduced in the California Senate that would task manufacturers of IoT devices with implementing stronger security features during the device’s design phase. Security features would no longer be offered in post-production as “patch,” but rather baked into cutting-edge technologies.

The promise of a baseline of required security features would benefit businesses and users in the future, but that reality could be years away. Even when that day does come, the requirements may not suit every industry or business.

Businesses that lead efforts in creating rigorous and more formal security methodologies for evolving applications of IoT may themselves set the standards that are eventually adapted and reinforced elsewhere.

How Careful Data Collection Can Ease IoT Security Challenges

Smarter data collection can bolster overall a business’s strategy for securing its solutions despite IoT security challenges. Business leaders should weigh the business needs with its goals, determining the data that’s necessary for growth, and then collect all relevant data — and nothing more. This prevents privacy breaches and ensures that data collection is never passive, but an active commitment to informing solutions to business challenges.

Privacy is an important element of security in the context of IoT. Companies need to demonstrate that they collect sensitive data with an eye to transparency, describing what they are collecting, who has access to it, and how access to it is controlled.

For example, a worker at a hospital may need to access aspects of patients’ medical records in order to compile statistics for stakeholders. Medical details relating to any illnesses are not necessarily relevant to the task at hand. The software she uses to source this data should support a nuanced user authentication capability and comply with privacy regulations so that only relevant data is accessible to her.

A central framework that backs a strategic and refined approach to data collection makes for a streamlined implementation of privacy standards down the road and a more secure data landscape overall.

The Ongoing Cost of Responding to IoT Security Challenges

Since ongoing end-to-end system maintenance is the only way to ensure that an organization aligns its hardware, firmware, and software to respond properly to IoT Security Challenges, engaging a third party consultant who assesses IoT security architecture quarterly, on top of the business’s internal IT teams’ ongoing efforts, helps to ensure proper function and security.

However they choose to maintain and test the security of components in IoT solutions, business leaders should anticipate the bearing the ongoing cost of maintaining any compliancy. Services providers cannot be expected to accept the onus of security and compliancy.

Businesses must bake security into their approach to innovation,whether that means sourcing third-party risk management auditors to increasing the IT team’s budget to seek and maintain a more secure digital environment.

Original post can be found here.

Innovate with us. Click here to access all of our free resources.
Authored by Stanislas Walden.

Stan loves to make the obscure more apparent, the complicated more human and approachable. He strives to communicate the complex themes inherent in software development trends in a way that sparks curiosity and invites exploration.

As the Content Associate, Stan helps to develop content and coordinate communications that elevate MentorMate’s voice and connect people with vital information that helps them create tools that help other people.

When he’s not researching or publishing a new article, Stan enjoys running around a few of Minnesota’s many lakes and looking for new recipes.