Wide Disparity Between Consumer, IT Pro Views of IoT Security

Only 20 percent of security pros have confidence about controlling who has access to information collected by IoT devices in people's homes.

A respected security industry researcher revealed Oct. 16 that it is seeing a major difference of opinion between consumers and cyber-security and IT professionals regarding the securability of connected devices.

Almost two-thirds (64 percent) of consumers who use mobile connected Internet of things items, such as smartwatches, health monitors, connected cars and mobile videocams are satisfied that they can control security on those items. Yet according to more than 2,000 U.S. IT and cyber-security professionals who responded to a parallel survey, only 20 percent have this same confidence about controlling who has access to information collected by IoT devices in their homes.

A whopping 77 percent of professionals say manufacturers are not implementing sufficient security in IoT devices.

The research was conducted by ISACA, a nonprofit global association of security professionals that provides industry knowledge, standards, networking, credentialing and career development to professionals. Established in 1969, ISACA has a membership of 140,000 professionals in 180 countries. ISACA offers the Cybersecurity Nexus, a holistic cyber-security resource, and COBIT, a business framework to govern enterprise technology. The group was previously known as the Information Systems Audit and Control Association.

IoT Security 'Flying Below Enterprise Radar'

ISACA's survey of U.S. IT and cyber-security professionals depicts an IoT that flies below the radar of many IT organizations—an invisible risk that survey respondents believe is underestimated and under-secured. Here are some data points to that effect:

--50 percent believe their IT departments are not aware of all of their organizations' connected devices (e.g., connected thermostats, TVs, fire alarms, cars);

--74 percent estimate the likelihood of an organization being hacked through an IoT device is medium or high;

--62 percent think that the increasing use of IoT devices in the workplace has decreased employee privacy.

The IoT for business-to-business use alone is expected to expand from 1.2 billion devices in 2015 to 5.4 billion connected devices worldwide by 2020, according to a recent "ABI for Verizon" research project.

"In the hidden Internet of things, it is not just connectivity that is invisible. What is also invisible are the countless entry points that cyber-attackers can use to access personal information and corporate data," said ISACA President Christos Dimitriadis, who is the group director of Information Security for INTRALOT.

"The rapid spread of connected devices is outpacing an organization's ability to manage it and to safeguard company and employee data."

More Takeaways From the Research

Other noteworthy metrics from the survey are as follows:

--More than three in four U.S. consumers (83 percent) consider themselves somewhat or very knowledgeable about the IoT, and the average estimated number of IoT devices in their home is five. Smart TVs top the list of most wanted IoT device to get in the next 12 months, with Internet-connected cameras, connected cars and wireless fitness trackers also ranked highly.

--Device manufacturers are falling short. Seventy-seven percent say they do not believe that manufacturers are implementing sufficient security measures in IoT devices.

--A nearly equal proportion (78 percent) don't think current security standards sufficiently address the IoT and believe that updates and/or new standards are needed.

--Privacy is also an issue; 88 percent believe that device-makers don't make consumers sufficiently aware of the type of information the devices can collect.

--Eighty-nine percent of U.S. consumers say it is important that data security professionals hold a cyber-security certification if they work at organizations with access to the consumers' personal information.

In the same report, ISACA offered some best practices for enterprises to maintain a cyber-secure workplace:

--Safely embrace IoT devices in the workplace to keep competitive advantage;

--Ensure all workplace devices owned by the organization are updated regularly with security upgrades;

--Require all devices be wirelessly connected through the workplace guest network, rather than internal network;

--Provide cyber-security training for all employees to demonstrate their awareness of best practices of cyber-security and the different types of cyber-attacks.

ISACA's Best Practices for Manufacturers of IoT Devices

--Require all developers who build software to have appropriate performance-based cyber-security certification to ensure safe coding practices are being followed;

--Insist all social media sharing be opt-in;

--Encrypt all sensitive information, especially when connecting to Bluetooth-enabled devices;

--Build IoT devices that can be automatically updated with new security upgrades.

ISACA's Cybersecurity Nexus (CSX) helps organizations develop their cyber-security workforce and individuals advance their cyber-security careers. For information on CSX, including the CSX 2015 cyber-security conference and the new CSX Practitioner certification, go here.

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 13 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...