Do IT security professionals have the tools and CxO support to prevent cyber-attacks on the IoT?

(Photo: National Geographic)

According to several IoT industry analysts, IT security professionals are not confident that they can prevent cyber-attacks on the Internet of Things. Not only do companies still need to get their data security houses in order, the market for data security products is frustratingly being described by one analyst firm as “immature”. Jeremy Cowan reports.

Once the stuff of fiction the risk of harm to people, businesses and national critical infrastructure from an attack on cyber-physical systems through the IoT is growing (See: Concerns grow that IoT is not secure in long term as Beecham report urges industry to protect end users). According to the global consulting firm Protiviti, cyber security threats are not only an increasingly common phenomenon but their report, 2014 IT Security and Privacy Survey, also suggests that businesses are struggling to manage their IT securely.

Ryan Rubin, managing director of Protiviti and UK leader of the firm’s IT security and privacy practice said: “Our survey results tell a story of gaps between where companies currently stand and where they should be in relation to fundamental elements of IT security. Some progress has been made since our last survey, yet many organisations still fall short of important standard protocols for IT security and privacy. Companies need to take more action in relation to the risks they recognise to better protect their crucial data.”

Ryan Rubin of Protiviti
Ryan Rubin, MD of Protiviti: Organisations are falling short

The survey’s results are linked to five major themes that suggest companies still need to make further improvements to their IT security and privacy practices.

  1. Organisations lack high confidence in their ability to prevent a cyber-attack or data breach. While executive management has a higher level of awareness when it comes to the organisation’s information security exposures, lower confidence levels among IT executives and professionals in preventing an attack or breach likely speak to the creativity of cyber-attackers and the inevitability of a breach – and the need for strong incident response planning and execution.
  1. Companies are not preparing properly for crisis scenarios. Worryingly, there is a significant year-on-year jump in the number of organisations without a formal and documented crisis response plan to execute in the event of a data breach or cyber-attack.
  1. There is a correlation between board engagement and stronger IT security profiles. Nearly three out of four boards have a good level of understanding about their organisation’s information security risks, according to survey results. Boards that are concerned with how their business is addressing its risks, have significantly stronger IT security profiles. On the other hand, one in five boards appears to have a low level of engagement in how the company is addressing information security risks. “With greater market sensitivity to information security issues as well as a rise in associated legal requirements, we would expect board interest to be even higher in most organisations,” said Rubin.
  1. Companies do not have proper ‘core’ data policies. One in three companies does not have a written information security policy (WISP). More than 40% of firms lack a data encryption policy. One in four do not have acceptable use or record retention / destruction policies. These are critical gaps in data governance and management, and they carry considerable legal implications.
  1. Not all data is equal. The percentage of organisations that retain all their data and records has more than doubled, which is not necessarily a positive development. In addition, a relatively large number of organisations do not prioritise data that is processed and governed with a data classification schema. Even fewer companies appear to prioritise data that is highly regulated, including mobile payment and PCI (payment card industry) data and mHealth-related information.

Are CxOs taking responsibility?

It’s a relief to see, however, that the Protiviti survey shows CIOs and CSOs are more engaged in taking on the primary responsibility for security policies than in the past. Companies are also becoming more aware of their data lifecycle – where and how long their data is stored. (www.protiviti.com/ITsecuritysurvey)

One more sobering thought; the survey showed that – despite news stories and industry conjecture to the contrary – only a small number of organisations are moving their sensitive data into the cloud.

Cyber-security – Late or just in time?

IHS_fig_Cybersecurity

The need for cyber-security tools and expertise may be greater than ever but the market for industrial cybersecurity products remains extremely immature. Analysts IHS, report that there are approximately 160 Industrial cybersecurity system vendors worldwide who offer a wide variety of hardware, software and services.
In contrast to other sectors of industrial automation, no one vendor dominates; and those with the highest market share typically specialise in a particular region, industry sector or technology. Toby Colquhoun, senior analyst at IHS Inc, believes there will be a “shakeout” and the market will attract some new entrants, but this will be largely offset by companies choosing to exit the business and by acquisition-driven consolidation.

Colquhoun says, “A quiet revolution is already occurring in an industry more used to incremental improvement. Vendors of control systems have united around IEC 62443 (the international version of ISA-99) which, when finalised, will describe how to secure control system assets throughout their lifecycle (including development). Whereas security was an afterthought in earlier generations of control system, asset owners have pushed suppliers to restructure their products to implement security features which provide some inherent levels of protection. Only parts of the IEC 62443 standard have so far been released; but once the standard and certification services are available, all tier 1 vendors are expected soon to offer an IEC 62443 product.”

Where I differ from IHS is in their belief that legislation on industrial cybersecurity is unlikely. As Colquhoun says, cybersecurity legislation governing the North American power industry (NERC-CIP) “shows that it is possible to spend a lot of money without improving security.” (See: ‘We’re 9 meals from anarchy’: Take the cybersecurity threat to IoT seriously.) Although essentially an optimist, I can’t help believing that it’s not a question of IF but WHEN there’s a cyber-attack on a water or energy utility, food retailer or their logistics chain. In this scenario, legislation will hurriedly and belatedly follow a successful attack as surely as night follows day.

New laws? We don’t comply with the old ones!

Cyber security company Sophos based in Oxford, UK, today announced the results of its research highlighting attitudes among end users towards security and data protection across Europe. The research, conducted by Vanson Bourne, reveals that 84% of respondents agree Europe needs stronger data protection laws, but 77% are not confident their organisations complies with current regulations.

Of the 1,500 professional consumer and office workers surveyed across the UK, France and Germany, the majority confirmed that they were concerned about both their personal data (79%) and their corporate data (65%). However, almost half (49%) said their organisation either did not have a data protection policy in place or had not communicated this to its employees.

Follow this and other stories on Twitter:   @jcm2m  and  @jcvplus

To find out more, go to:
www.protiviti.com
www.ihs.com and www.sophos.com

RECENT ARTICLES

Nordic-powered wireless indoor alert system provides round-the-clock assistance to service users

Posted on: October 6, 2022

Hong Kong-based IoT technology solutions company, SG Wireless, has partnered with the local non-profit charitable organisation Senior Citizen Home Safety Association (SCHSA), to develop the ‘Wireless Personal Emergency Link’ (WPEL). WPEL is an indoor Bluetooth LE/LTE Cat 1 emergency alert system. Installed in the homes of service users, the system is designed to support senior citizens

Read more

DFI and AEWIN partner to empower software virtualisation technology through AMD platform ultra-small products

Posted on: October 6, 2022

DFI, the brand in embedded motherboards and industrial computers, was invited to participate in “AMD Datacentre Solutions Day” in September, based on the theme of high-performance computing (HPC). To launch the smallest industrial motherboard equipped with AMD products, DFI partnered with its subsidiary, AEWIN, to present their star products and share how ultra-small products can

Read more
FEATURED IoT STORIES

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption, is leading the charge to dominate the next decade’s discussion around business IT. Below, we’ll discuss the current boom, what’s driving it, where it’s going,

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more

What is IoT?

Posted on: July 7, 2019

What is IoT Data as a new oil IoT connectivity What is IoT video So what’s IoT? The phrase ‘Internet of Things’ (IoT) is officially everywhere. It constantly shows up in my Google news feed, the weekend tech supplements are waxing lyrical about it and the volume of marketing emails I receive advertising ‘smart, connected

Read more
IoT Newsletter

Join the IoT Now online community for FREE, to receive: Exclusive offers for entry to all the IoT events that matter, round the world

Free access to a huge selection of the latest IoT analyst reports and industry whitepapers

The latest IoT news, as it breaks, to your inbox