IoT data security vulnerable as connected devices proliferate

IoT data security challenges

Executives shouldn't underestimate the challenges of IoT data security. According to figures released by Gartner in November, there will be 6.4 billion connected "things" used worldwide in 2016, with 5.5 million new products connecting daily. By 2020, the number of connected things is projected to jump to 20.8 billion.

Analysts predict that the cost of cybercrime will rise as dramatically as the number of connected devices. Juniper Research's May 2015 report "The Future of Cybercrime & Security: Financial and Corporate Threats & Mitigation" predicts that the cost of data breaches will reach $2.1 trillion globally by 2019. This is four times the estimated cost of data breaches in 2015. While the report predicted that the majority of future breaches will come from existing IT and network infrastructure, IoT will still account for a significant portion of the losses.

IoT extends the security model in many new and often unexpected ways. It's a much more sprawling model.

Experts say there are IoT security vulnerabilities along the entire chain: Someone could spoof a sensor connecting to transmit data; an organization with poor authentication could inadvertently allow a hacker onto its network; an insecure connection could allow a cybercriminal in.

Once a bad actor is in, there's no telling how far that entity could get because an entry at one point along the chain could provide access to other points within that IoT environment. Think such scenarios are unlikely? The massive 2013 Target breach started when its HVAC contractor's credentials were stolen.

Analysts point out that the stakes are even higher for IoT. Cybercriminals could access not only data such as credit card numbers, they could also sabotage critical infrastructure such as traffic control systems, the power grid or manufacturing plants. 

Today's security measures won't be enough to stop them, said Steve Wilson, vice president and principal analyst with Constellation Research Inc.

"The state of the art in information security is frankly not up to the job of safeguarding the Internet of Things," he said in an emailed response to interview questions. "IoT is all about automation and speed and getting the humans out of the way. The level of reliability and resilience needed for IoT is vastly greater than what we are used to in computing now."

Executives are working toward that end, analysts said, developing strategies and best practices to alleviate IoT security vulnerabilities.

IoT data analytics, security advancements

Several key IoT security strategies are at play, particularly around behavioral analysis and access entitlements. Organizations can use big data and IoT data analytics to learn, identify and then respond to unusual behavior that could indicate a potential breach, said Robert Stroud, CGEIT, CRISC, Immediate Past International president at ISACA and principal analyst at Forrester Research.

"Technology is not only creating the problem, but it's helping to mitigate the problem," he said.

Vendors, too, are providing more security measures that are critical in the IoT ecosystem. Cloud providers offer encryption for both data at rest and data in transit. Others have authentication platforms and identity networks.

There are also proposals to create standards in communication protocols, which would enable not only interoperability and more resilience but also the development of better IoT security.

"It brings everything together because you know how they're going to operate, and when you know that you can really lock them down," Haughton said, who also stressed the need to design more resilience systems and to develop Agile thinking to better respond to evolving threats.

None of these measures are quite ready for prime time, experts said. For instance, organizations using big data analytics must also implement processes so their systems can use the information to respond instantaneously. Using IoT data analytics to generate reports or flag problems for review won't provide enough security.

Christian Renaud, research director of 451 Research's IoT practice, said old-fashioned collaboration remains critical.

CIOs, CISOs and other executives, particularly those in operations, need to build understanding and trust so that they as a team can identify potential threats, assess the risks they pose to operations, and devise and deploy appropriate strategies and technologies to mitigate them.

As such, authority for IoT security must move beyond the CIO or the CISO's office.

"It's an organizational issue long before it's a technical one," Renaud said.

Despite the risks, analysts are optimistic about the organizational ability to both capitalize on and secure the Internet of Things. They were quick to acknowledge, however, that neither will be without setbacks and challenges.

"There are innumerable use cases [for IoT] that aren't as high stakes, and all those low-hanging fruit cases will be our first ones. And there will be early adopters who say, 'What the hell? Let's do it.' They'll be the people who discover the landmines and allow us to make the big leaps," Renaud said.