By Design and by Default: Why Firms Must Include Security Teams in IoT Projects

by Bharat Mistry

As organisations build out their Internet of Things (IoT) infrastructure, cyber-risk must be properly managed. Unfortunately, the latest research from Trend Micro has found that security teams are still not being consulted in the majority of global enterprise projects. It’s a major mistake and one which could come back to bite firms if their IoT systems are not secured “by design and default” as required by the GDPR.

If there’s one thing attendees took away from the ever-popular Trend Micro CLOUDSEC conference this week, it’s that online threats are only going to continue escalating.

Security ignored
There’s no doubt the IoT revolution is in full swing today. Our poll of 1,150 IT and security decision makers in Germany, France, Japan, the UK and US, revealed organisations spent on average £2.5m on projects last year and plan to ramp that up even more over the coming 12 months. That’s why analysts have predicted an explosion in smart “things” to reach over 20 billion by 2020.

However, our latest findings are concerning. They indicate that while 79% of firms involve the IT department in choosing industrial IoT solutions, just 38% involve security teams. The figure falls even further for organisations looking to roll-out smart factory (32%), smart utility (31%) and wearables (30%) projects. UK respondents may be most likely (42%) to consult security teams on industrial IoT projects, but the figures are still too low. Only half (56%) of global respondents claimed the CISO is one of the top three decision makers, behind the CTO (57%) and CIO (64%). Even more worrying is that nearly a third (31%) claimed they aren’t always sure who is responsible for IoT security in their organisation.

Exposed IoT endpoints represent a major risk to organisations: not only could they be used as a stepping stone into the corporate network in data-stealing raids, but attackers could also sabotage devices themselves, possibly putting the public or employees in danger. It’s a risk that European regulators are well aware of, which is why any organisation falling under the remit of the NIS Directive should pay close attention to IoT risk. If data is breached via an unsecured IoT endpoint then GDPR regulators could also get involved. The new data protection laws mandate a security “by design and by default” approach whereby measures must be baked in from the very start. That means consulting with your IT security teams from the beginning.

An important role
Security leaders play an important role in providing a check and balance against the commercial imperatives that drive most organisations. They can advise on the most secure kit and ensure it is configured, patched, managed and monitored on an ongoing basis. The risk is without notifying security teams, IoT systems might fly completely under the radar, exposing organisations to unnecessary cyber risk.

It’s the kind of challenge that was discussed at Trend Micro’s CLOUDSEC conference in London this week. The show brought together some of the world’s leading cybersecurity experts and law enforcement officials to debate some of the key trends facing the industry. An enlightening panel discussion on the changing role of the CISO concluded that security leaders would eventually become integrated far closer with HR, IT compliance and other functions. However, looking at the latest IoT findings, that point still seems quite a long way off.