AA+W - Fotolia

Less than half of firms able to detect IoT breaches, study shows

UK firms have one of the lowest internet-of-things device breach detection capabilities in Europe, a study reveals

Only 48% of European firms can detect when any of their internet-connected devices have been breached, a survey shows.

In the UK, this figure drops to 42%, the second lowest in Europe after France, where only 36% of companies polled said they can detect if any of their devices making up the internet of things (IoT) suffers a breach, according to the study by digital security firm Gemalto.

The finding comes despite an increased focus on IoT security by European firms, with spending on IoT security protection up from 11% of IoT budget in 2017 to 13%. In addition, nearly all (90%) firms polled believe it is a big consideration for customers, and 14% said they see IoT security as an ethical responsibility compared with just 4% a year ago.

Although 21% of UK respondents believe IoT security is an ethical responsibility and 62% feel that it is very important to have regulations in place regarding IoT security, UK spending on IoT protection is lower than the global average at still only 11% of IoT budgets.

With the number of connected devices set to top 20 billion by 2023, Gemalto is urging businesses to act quickly to ensure their IoT breach detection is as effective as possible.

Surveying 950 IT and business decision makers globally, Gemalto found that companies are calling on governments to intervene, with 79% asking for more robust guidelines on IoT security, and 59% seeking clarification on who is responsible for protecting IoT.

Despite the fact that many governments have already enacted or announced the introduction of regulations specific to IoT security, most (95%) businesses believe there should be uniform regulations in place, a finding that is echoed by consumers, with Gemalto research indicating that 95% expect IoT devices to be governed by security regulations.

“Given the increase in the number of IoT-enabled devices, it’s extremely worrying to see that businesses still can’t detect if they have been breached,” said Jason Hart, CTO of data protection at Gemalto.

“With no consistent regulation guiding the industry, it’s no surprise the threats – and, in turn, vulnerability of businesses – are increasing. This will only continue unless governments step in now to help industry avoid losing control.”

Commenting on the UK survey results, Hart said the push for digital transformation by organisations has a lot to answer for when it comes to security and bad practices. “At times it feels organisations are trying to run before they can walk, implementing technology without really understanding what impact it could have on their security,” he said.

“With IoT devices continuing to immerse themselves deep within organisations’ networks, it’s frightening to see that so many UK businesses don’t know if and when these devices have been breached. Although the UK’s new Code of Practice is a great first step toward securing the IoT, it won’t truly be effective until these are made mandatory and all organisations are forced to adhere to them. Only once every device, new and old, is given these same standards will the UK see a decrease in successful attacks.”

Addressing data issues

One of the biggest challenges to IoT security that is prompting calls for government intervention is the issue of data privacy (38%) and the collection of large amounts of data (34%).

Protecting an increasing amount of data is proving an issue, the survey shows, with only three in five (59%) of those using IoT and spending on IoT security admitting they encrypt all of their data.

Other Gemalto research shows consumers are not impressed with the efforts of the IoT industry, with 62% believing security needs to improve. When it comes to the biggest areas of concern, 54% fear a lack of privacy because of connected devices, followed closely by unauthorised parties such as hackers controlling devices (51%) and lack of control over personal data (50%).

While the industry awaits regulation, it is seeking ways to address the issues itself, according to Gemalto, with blockchain emerging as a potential technology solution.

Research shows adoption of blockchain has doubled from 9% to 19% in the past 12 months. Almost a quarter (23%) of respondents believe that blockchain technology would be an ideal solution to use for securing IoT devices, with 91% of organisations that do not currently use the technology saying they are likely to consider it in the future.

As blockchain technology finds its place in securing IoT devices, the survey shows that the majority of businesses (71%) are relying on encryption to protect their data, while password protection (66%) and two-factor authentication (38%) remain prominent.

According to Hart, businesses are clearly feeling the pressure of protecting the growing amount of data they collect and store. “While it’s positive they are attempting to address that by investing in more security, such as blockchain, they need direct guidance to ensure they’re not leaving themselves exposed. To get this, businesses need to be putting more pressure on the government to act,” he said.

In November 2018, IoT security researcher Ken Munro also called for government action at the EEMA ISSE 2018 cyber security conference in Brussels.

Like Hart, he said the UK Code of Practice is a good start, but Munro believes there is still a long way to go and he would like to see some basic regulation.

Speaking to Computer Weekly, Munro said a revised version of UK Code of Practice showed how existing legislation such as the EU’s General Data Protection Regulation (GDPR) could be brought to bear against poorly secured smart products.

“The CoP is a great start, but there is still more to be done,” he said. “I would like to see fresh primary legislation in the IoT arena in the UK, but this will take time. It would also be reasonable to let the CoP guidance ‘bed in’ with manufacturers. If they don’t start to change behaviour, that would be the time for regulation.”

Munro believes giving consumers the right to return vulnerable smart products for credit will create financial incentives for manufacturers to improve security, as will retailers committing to not stocking vulnerable smart tech, backed up by trading standards legislation. He would also like to see manufacturers delivering product security updates for the foreseeable life of the product.

“I think demonstrating security in a product will actually drive sales because if someone can buy a smart thermostat and know it is secure, that will increase sales in the market,” he said.

Read more about IoT security

Read more on Privacy and data protection