With the number of connected Internet of Things (IoT) devices anticipated to swell beyond 41 billion by 2025 according to a forecast from IDC estimates and the number of cyber attacks on such devices growing exponentially by the day, organizations should put security at the forefront of their priorities around IoT solutions. In an effort to help organizations shore up their security postures, Deloitte offers five tips to address IoT security in the products that organizations deploy in their environments and encourages manufacturers that make connected products to take a secure-by-design approach.
California is leading the charge with a new Internet of Things Security Law taking effect on Jan. 1, 2020, requiring all IoT devices sold to be equipped with reasonable security measures. Consequently, organizations should prepare and protect their companies, customers and communities. The benefits of IoT connectivity far outweigh the investment in cyber measures to ensure the integrity of the devices, networks and programs.
IoT device security best practices
1. Take note of every endpoint added
The expanse of IoT increases with every endpoint added into a network. This adds more vulnerabilities and has become a more popular and destructive cyber attack. While the adversarial landscape is always changing, Deloitte advises organizations to bring as much of their endpoint footprint under their security management in order to better secure the attack surface. Once these devices are managed, integration of security tools can be a more effective security focus for the organization. As with most domains within cybersecurity, security professionals realize that in order to meet the complex security challenges of their organizations, they should formulate a sound security strategy and constantly evolve by making continuous improvements to best mitigate their risks.
2. Align operational technology, IT and security
In addition to IoT, enterprises are managing multiple digital transformation initiatives simultaneously. Yet, according to the “Deloitte Future of Cyber” study, less than 10% of cyber budgets are allocated to these efforts. For companies to be successful with IoT initiatives, they need a new approach. One that helps them understand enterprise and cyber risks; develop a plan to prioritize and mitigate those risks; and then operationalize these efforts by obtaining alignment across key stakeholders: operational technology, IT and cybersecurity.
3. Know the players in your ecosystem
Since the interconnectivity of third-party hardware, software or services may be the source of a security breach, it’s imperative to consider how a covered device interacts with such third parties. Ideally, contracts with third, fourth, and fifth parties should address security updates and concerns. Organizations should establish a third-party risk management program to evaluate the cyber risks of their third parties and supply chain partners.
4. Employ AI and ML to detect anomalies that humans can’t
You can’t prevent what you don’t know about. Artificial intelligence for IT operations (AIOps) has grown from an emerging category to an IT necessity. AIOps platforms are uniquely suited to establish a baseline for normal behavior and detecting subtle deviations, anomalies and trends. This is significant as IoT turns much of the physical world into robots powered by AI. Organizations should take both a secure by design (DevSecOps) approach in tandem with an AIOps approach to both prevent and identify cyber attacks.
5. Conduct vulnerability assessments on devices
As cyberattacks continue to grow, organizations should have confirmation that their connected devices — and the environment in which they’re deployed — have been designed, built and implemented with security in mind. Whether through basic testing or a bug bounty program, testing can provide assurance around the security posture of an organization’s devices.