IoT: The huge cybersecurity blind spot that’s costing millions – Help Net Security
In many ways, IoT has made our lives easier. We are technologically connected in ways we never thought possible.
But organizations need to be aware of the cybersecurity blind spots generated by the prevalence of IoT technology, because connected devices are opening virtual doors into organizations’ networks.
The enterprise IoT cybersecurity blind spots
According to Forrester, over 60% of enterprise cyberattacks originate from the trust organizations place in their partner or vendor, and vulnerable devices ending up in the end-product or system ecosystem – which is where the blind spot comes in. We currently don’t have visibility of the security strength of a partner or vendor device/software/component, so we need a way to better assess and validate partners and their products before they form part of an IoT system.
RFPs can help businesses find suppliers that meet their needs from a functionality perspective, but there is still the question of how to properly assess the security of the supplier. Working with multiple partners or vendors will mean those players will, in turn, seek components from elsewhere, bringing even more third parties (with unknown levels of security) into the mix. There’s very limited visibility as to where the new components come from, how rigorously they’ve been tested and how secure they are.
To go back to the door analogy: You might buy a door from Home Depot, only to find out that burglars have found a weakness in its lock and broken into your home. Who knows what vendor supplied the lock – is it them at fault, or Home Depot, or you? Which raises the question: If a system is hacked, who’s to blame?
The IoT blame game is costing everyone
As IoT adoption becomes more widespread, 93% of enterprises are finding it necessary to up their security spend for IoT and unmanaged devices as a result. The vast number of components enabled by IoT, as well as the many new entry points into systems, create a complex and time-consuming proposition. Meanwhile, the cost of cyber insurance is at an all-time high, with 82% of cyber insurers surveyed expecting premiums to continue to rise due to the complicated nature of covering systems with IoT connections.
Because IoT is a relatively young industry there are no comprehensive standards nor a clear division of responsibility for these issues. This is where the blame game starts. Who is responsible, and who will end up paying for the mistakes made?
Every player in IoT has the duty to protect themselves, but it is important to move past that singular focus and create an industry of trust that’s mutually beneficial for all. Industry standards – as they have in numerous other industries like telecoms and payments – can help bring stakeholders onto the same page to realize greater efficiencies, higher security, interoperability, and a more competitive ecosystem.
This is the reason the industry came together within the FIDO Alliance to develop a set of specifications that instill a very necessary level of trust during the IoT device onboarding process.
Cyber assurance – Building trust, standards, and compliance
The FIDO Alliance launched FIDO Device Onboard (FDO) in 2021 to tackle the biggest issues currently facing IoT: deployment efficiency and security at the point of onboarding. The main feature of FDO is fully automated device onboarding, which considerably speeds up the previously manual process. FDO also replaces generic password credentials with highly secure cryptographic keys, making the devices considerably more robust against attack.
Better industry standardization is crucial to the IoT industry as it starts to mature. It will set the bar for products to meet specific requirements for functionality, security, and usability, while ensuring all interoperate seamlessly and are easy to produce and connect at scale. As an industry-recognized seal of approval, vendors and partners can be sure that the products they are working with meet the high standards they need, and create a strong, trusting relationship between them.
Security is one of the most important factors when choosing a vendor. Complying with standards can clearly demonstrate the levels of resilience an offering has. For the system manager or ‘customer’ in the scenario, the benefits could also include the lowering of cyber insurance premiums, as well as reduced spend mitigating any costly breaches!
Like any nascent industry, IoT is expected to have growing pains as the system and its players find their footing and learn from their mistakes. As IoT begins to reach its adolescence, so to speak, now is the right time to ensure there is an easy-to-follow process and a high level of trust between vendors and partners. For that, we need industry standards such as FDO.