Internet of things
Governments and financial institutions are vulnerable to attack, developers say. geralt/pixabay

Connectivity is becoming ubiquitous in our daily lives, with appetite from consumers and businesses for connected devices and services sparking the rapid proliferation of the Internet of Things (IoT). According to IHS Markit, by 2025, it’s estimated that 73 billion IoT devices will be connected globally. The United States is ranked one of the earliest adopters of the IoT, with 69 percent of American households owning a connected device.

Yet, IoT is still in its infancy, and manufacturers have been neglecting to build in security measures at the point of design. So, as IoT devices become more commonplace in homes and businesses, the attack surface is only getting bigger – cybercriminals are recruiting our smart speakers, smart TVs and other smart devices for their own campaigns of cyber terror.

However, it’s not in these consumer devices where the biggest IoT cybersecurity threat could lie. Cybercriminals often operate as businesses themselves and will focus on targets that will provide the greatest return on their hacking investment. Therefore, as various industries become increasingly connected, this is where we could see an extremely costly impact of IoT-focused cyberattacks, if security is not prioritized. Insecure devices, and potentially companion apps, present a variety of risks to safety and privacy, especially as the IoT enters more critical industries such as healthcare, transport and manufacturing.

Connectivity risk vs. reward

The key issue is that many of the industries experiencing a connectivity boom never expected the IoT to apply to them. As a result, these industries have historically not been prepared to tackle the security problem that accompanies connectivity. This isn’t to say that organizations aren’t doing their part to implement cybersecurity technology and strategies. However, the integration of a wide-range of devices that may or may not be secure, coupled with evolving regulations and requirements to address cybersecurity challenges, has created an extremely confusing security landscape to navigate. If not navigated successfully, then the consequences could be extremely severe, a point which was outlined by the results of the Irdeto Global Connected Industries Cybersecurity Survey, which revealed that cyberattacks targeted at IoT devices could cost the U.S. economy a staggering $8.8 billion per year.

The research interviewed 200 security decision makers at U.S. organizations within the connected transport, connected manufacturing and connected health industries, with a view to gauging perceptions of IoT security and organizations’ biggest concerns. It found that IoT-focused cyberattacks are alarmingly widespread. Eighty percent of respondents claimed to have experienced such an attack in the past twelve months, with over half (55 percent) of those hit experiencing operational downtime as a result. This demonstrates the security limitations of many IoT devices and the need for organizations to think carefully about a cybersecurity strategy amidst IoT deployment.

In addition, the research found that 37 percent of respondents’ organizations experienced compromised customer data following a cyberattack targeted at IoT devices within their business. In a post-GDPR era, if customer data is leaked, companies could face significant legal and financial penalties beyond the initial cost of attack – a total cost that some businesses just can’t afford.

All of these findings contribute to the cost of IoT-focused cyberattacks, with respondents estimating that the cost to their organizations in the past year was an average of $320,000. To quantify the impact on the wider U.S. economy, we then examined the number of companies with more than 500 employees and the average cost per attack(s), with the total equating to approximately $8.8 billion per annum.

Addressing the security challenges

While the benefits brought to a wide range of industries by the IoT and connectivity are not in doubt, high profile incidents of breaches or vulnerabilities never seem to be far from the headlines - Jeep Cherokee, Vtech and CloudPets spring to mind. Insecure IoT devices and companion apps are essentially low-hanging fruit for cybercriminals, who are increasingly finding new, creative ways to turn our technological dependence into their own nefarious gain.

It’s clear therefore that, if not addressed, a lack of IoT security could pose a serious financial threat to the wider U.S. economy. With so many devices entering the market, and being deployed in critical businesses, the need for improved security measures is without question. Connected device manufacturers must ensure that devices are secure from the very point of design, incorporating multiple layers of security as well as offering regular health checks and software updates. If unsure, consumers and businesses should also ask their manufacturers about device security and take appropriate measures to keep their information secure. In the case of businesses, this must include a defense-in-depth approach to security, incorporating multiple layers of security into their defenses, rather than just securing the perimeter.

While these findings may paint a gloomy picture of IoT security, the research also suggests that the previous mindset of security as an afterthought is changing and organizations are beginning to think more strategically about security. Of the security decision makers surveyed in the U.S., 99 percent agreed that a security solution should be an enabler of new business models, not just a cost – an indication that today’s businesses do realize the value add that security can bring to their organization. From enabling new rental or subscription models in connected vehicles, to Digital Twins revolutionizing the manufacturing processes, to providing patients with even better healthcare, IoT capabilities combined with robust security will enable the successful implementation of new customer experiences and business models in today’s connected world.

Steeve Huin is vice president of strategic partnerships, business development and marketing at Irdeto, which provides security for digital platforms.