Firms are not prioritising IOT device security
Managing and securing Internet of things (IOT) devices is going to be a key challenge for organisations looking to benefit from digitisation and the integration of IOT devices into organisations.
This is according to Dominic Richardson, chief marketing officer of Panda Security Africa, who notes business leaders appear to be relatively unaware of the far-reaching impact of IOT devices and the risk they pose to the organisation's cyber security efforts.
"Even if they have an understanding of IOT's impact on their organisation, implementing a strategy for securing the network of IOT devices will differ vastly from one industry vertical to another. This makes it incredibly challenging to manage and secure these devices."
The volume of reported high-profile IOT infrastructure incidents has increased in the past 12 months, says Kris Budnik, cyber lead for PwC Africa. For example, crypto mining, ransomware, DDOS, and consumer IOT hacks related to connected cars, medical monitoring devices and webcams has risen, adds Budnik.
"The associated awareness in respect to the vulnerability of this infrastructure has certainly not escaped the attention of the bad guys, so expect more as they develop and trial new techniques to exploit this environment."
A recent Trend Micro survey reveals there is major discrepancy between the investment in IOT systems and security to protect them.
The study, which interviewed 1 150 IT and security decision-makers across the globe, states that as the growing number of connected devices opens businesses up to additional cyber threats, close to half (43%) of IT and security decision-makers say security is an afterthought when implementing IOT projects.
With breaches having the potential for a significant impact on business operations, such as jeopardising GDPR compliance or taking critical networks offline, Trend Micro notes cyber security cannot be an afterthought and it must be key to the IOT implementation process from the outset.
Additionally, testing should take place ahead of implementation to ensure new devices added to corporate environments are secured, it says.
For South African businesses, budget constraints further complicate the matter as the weak rand prohibits the implementation of appropriate and adequate controls, says Graham Croock, director of BDO IT Advisory Services.
Croock says risk-based strategies need to be the foundation of planned IOT project implementation.
"Without consulting specialists and qualified engineers to perform risk assessments and vulnerability testing, the security design will invariably fail, and with such weak designs, the control mechanisms will introduce breaches."
Calls for regulation
Doros Hadjizenonos, regional sales director for Fortinet Southern Africa, says as more and more networked devices with incredibly poor IT security are being brought onto the market, there are increasing calls to put regulations in place to protect IOT (and industrial IOT) but this needs to be considered carefully.
"As consumer IOT vendors battle to bring more features at a lower cost, it makes sense to introduce regulation to ensure users can have some level of assurance that a product has a sufficient level of security so as to not present a danger in their homes.
"This in turn will provide the incentive which is sadly lacking today, for vendors to include security in the inherent design of their products."
When looking at more professional uses of IOT, especially industrial and critical infrastructure applications, care has to be taken to ensure regulation does not impact innovation and competition, notes Hadjizenonos.
In those cases, it is vitally important that the personnel responsible for running IOT networks have the information, skills and tools required to ensure equipment meets the security standards appropriate for the specific purpose and application, he adds.