fotohansel - Fotolia

Exploding IoT attack surface not an immediate threat to business

Companies should take care of the security vulnerabilities in their IT infrastructure, cloud back-ends and mobile applications in preparation for the challenges of IoT, says Adrzej Kawalec

Although the cyber attack surface is exploding with the adoption of internet of things (IoT) devices and services, this is not yet an immediate threat to most businesses, according to a security researcher.

“Although there may be an immediate threat to business due to some consumer IoT device that’s been adopted, most businesses will only face this in around five years’ time,” said Andrzej Kawalec, head of security research and chief technology officer at HPE Security Services.

“Right now, very few organisations have started building a digital component to their physical systems and they have not yet started integrating different systems in the same way as consumers using IoT technologies,” he told Computer Weekly.

The exceptions are specific early-adopter use cases in the healthcare, hotel, travel and transport industries. But there is still no immediate need for most businesses to offer an IoT-enabled product or service, said Kawalec.

“Five years down the line, however, that won’t be the case. Competition will drive IoT innovation so that in the rental car industry, for example, whichever company is the first to offer keyless, mobile access to their vehicles will gain a competitive edge,” he said.

However, the “here and now challenge” for companies in this context, said Kawlec, is the cloud back-end and mobile applications.

“In preparation for IoT, companies should ensure they are patching their basic infrastructure, monitoring cloud applications and user bases, and developing secure mobile applications. Our research shows these are among the things that few companies are doing well,” he said.

Kawalec said these things are the pre-cursors to IoT. He added that if companies do not get better at them quickly, when the “IoT tsunami” hits, they will be poorly prepared to meet the security challenges.

More time needed for development of applications

Asked why these areas are commonly not addressed well, he said there are two main reasons.

First, the risk is poorly understood and governed. “There is typically a poor understanding of what their digital assets are and the likely cyber threats, as well as a poor understanding of the risk associated with adopting new technology and of new and emerging legislation,” said Kawalec.

Second, development cycles are getting shorter. “The natural development cycle of an application is being shortened from months to weeks and – in some cases – days, with applications being pushed out in response to a competitive market challenge, often outside of IT.

“As a result of these compressed development cycles, security requirements are becoming even more overlooked than they used to be in the past. The development imperative is time and availability, not security,” he said.

Security ‘has to be built’ into mobile apps

Recent research by HPE Security has shown that while 35% of normal applications exhibit significant security flaws, this is true of 76% of mobile apps.  

Building security into products and services from the start is key, said Kawalec. “Designing a secure organisations is as much about governance as it is about user education and awareness, and security has to be built in, but a lot of organisations do not do that,” he said.

A particular challenge presented by IoT, he said, is the ability of IoT producers to support these devices in terms of security and privacy for the lifespan of the device.

Kawalec believes that rather than seeking to solve the security risks of IoT to businesses in a specific way, there needs to be a general in the mind-set around risk to an assumption of compromise.

“If you assume you will be compromised, it changes the mindset. It means you are looking for attackers rather than just trying to stop them from getting in.

“That mindset prompts organisations to look at how they improve their ability to detect and respond to breaches, as well as their ability to recover quickly when breaches occur, leading to a more comprehensive and effect approach to security,” he said.

Read more about IoT security

  • Growth of the internet of things will be slowed or stunted if the industry fails to be proactive about data security, according to IoT Security Foundation.
  • The influx of internet of things devices will inevitably bring security headaches. Don’t miss out on the opportunities of IoT, but learn how to avoid IoT security issues.
  • The Five key information security risks associated with the internet of things that businesses can and should address.
  • The growing threat of the internet of things is quickly becoming a reality as new attack methods emerge.

Read more on Hackers and cybercrime prevention