Should we trust the Internet of Things?

New research suggests that 65% of Australian consumers are confident they can control the security on the IoT devices they own. Conversely, only 19% of Australian IT professionals feel the same way and cybersecurity professionals say that manufacturers are not implementing sufficient security on IoT devices.

This information has come to light courtesy of the ISACA 2015 IT Risk/Reward Barometer, an annual indicator of trust in information. ISCA is a global, non-profit, independent association that advocates for professionals involved in information security, assurance, risk management and governance.

This year’s results show that more than three in four (81%) Australian consumers consider themselves somewhat or very knowledgeable about the IoT and the average estimated number of connected devices in their home is six. Smart TVs top the list of most wanted IoT devices to purchase in the next 12 months, with wireless fitness trackers and smartwatches also ranked highly.

The hidden IoT

ISACA’s survey of  IT and cybersecurity professionals depicts an Internet of Things that flies below the radar of many IT organisations — an invisible risk that survey respondents believe is underestimated and under-secured. Among the Australian respondents:

• 61% believe their IT department is not aware of all of their organisation’s connected devices (eg, connected thermostats, TVs, fire alarms, cars).
• 72% estimate the likelihood of an organisation being hacked through an Internet of Things device is medium or high.
• 57% think that the increasing use of Internet of Things devices in the workplace has decreased employee privacy.

The IoT for business-to-business use alone is expected to expand from 1.2 billion devices in 2015 to 5.4 billion connected devices worldwide by 2020, according to one estimate.

“In the hidden Internet of Things, it is not just connectivity that is invisible. What is also invisible are the countless entry points that cyber attackers can use to access personal information and corporate data,” said Christos Dimitriadis, PhD, CISA, CISM, CRISC, international president of ISACA and group director of information security for INTRALOT.

“The rapid spread of connected devices is outpacing an organisation’s ability to manage it and to safeguard company and employee data.”

According to Australian cybersecurity and IT professionals surveyed, device manufacturers are falling short. 75% say they do not believe that manufacturers are implementing sufficient security measures. A nearly equal proportion (71%) don’t think current security standards sufficiently address the IoT and believe that updates and/or new standards are needed. Privacy is also an issue; 90% believe that device makers don’t make consumers sufficiently aware of the type of information the devices can collect.

ISACA’s consumer research suggests that Australian consumers are likely to value businesses that can demonstrate their expertise in and commitment to cybersecurity best practices: 93% say it is important that data security professionals hold a cybersecurity certification if they work at organisations with access to the consumers’ personal information.

“It’s not a case of if, but when a device manufacturer is hacked. We’ve already seen improvements made by companies that adopt industry-wide security standards, and device manufacturers should do the same. By adopting security standards and setting security governance and professional development for their cybersecurity employees, companies can be more cyber resilient,” said Garry Barnes, practice lead, Governance Advisory, at Vital Interacts, Australia, and international vice president of ISACA.

“It’s also good for business — the research shows that customers want their IoT devices to be secure and data to remain private.”

Ways for enterprises to maintain a cyber-secure workplace

• Safely embrace Internet of Things devices in the workplace to keep competitive advantage.
• Ensure all workplace devices owned by the organisation are updated regularly with security upgrades.
• Require all devices be wirelessly connected through the workplace guest network, rather than internal network.
• Provide cybersecurity training for all employees to demonstrate their awareness of best practices of cybersecurity and the different types of cyber attacks.

Ways for consumers to protect IoT privacy and security

Require all developers who build software to have appropriate performance-based cybersecurity certification to ensure safe coding practices are being followed.

• Insist all social media sharing be opt-in.
• Encrypt all sensitive information, especially when connecting to Bluetooth-enabled devices.
• Build IoT devices that can be automatically updated with new security upgrades.

Image credit: ©FreeImages.com/gerard79