While the rise of the Internet of Things (IoT) and Industrial Internet of Things (IIoT) opens up new benefits for organizations, they also create significant cybersecurity risks and a widening attack surface. Yet many companies fail to recognize the scope of the risk they face when using connected devices, and lag behind on managing those threats, according to the report How Much Do Organizations Understand the Risk Exposure of IoT Devices? from Deloitte and Dragos, released Thursday.

Organizations should implement a security-by-design approach for designing and deploying IoT and IIoT products, the report recommended. This approach involves incorporating cybersecurity practices by default into the product’s design, as well as into the environment in which it is implemented.

SEE: Securing IoT in your organization: 10 best practices (free PDF) (TechRepublic)

Security-by-design saves time and reduces costs by fixing security issues the first time around when building a product, according to the report. In a poll of more than 4,200 professionals across industries and positions, nearly half (48%) said that when developing or deploying connected products or devices, it is imperative that DevSecOps is embedded throughout the lifecycle, and teams work with legal, procurement, and compliance across deployments.

Here are the top 10 security risks created by the current IoT environment that organizations must address, according to Deloitte:

  1. Not having a security and privacy program
  2. Lack of ownership/governance to drive security and privacy
  3. Security not being incorporated into the design of products and ecosystems
  4. Insufficient security awareness and training for engineers and architects
  5. Lack of IoT/IIoT and product security and privacy resources
  6. Insufficient monitoring of devices and systems to detect security events
  7. Lack of post-market/ implementation security and privacy risk management
  8. Lack of visibility of products or not having a full product inventory
  9. Identifying and treating risks of fielded and legacy products
  10. Inexperienced/immature incident response processes

“Security needs to become embedded into the DNA of operational programs to enable organizations to have great products and have peace of mind,” Sean Peasley, an IoT security leader in Cyber Risk Services at Deloitte & Touche LLP, said in a press release. “Today all sorts of products are becoming a part of cyber: from ovens to instant cookers, 3D printers to cars. Organizations need to consider what can actually go wrong with what is really out there and look at those challenges as a priority.”

How to create IoT security-by-design

Many organizations (41%) said they are looking to industry and professional groups for guidance in creating security-by-design in their business. Another 28% said they look to regulatory bodies and agencies that set the standards first, and 22% said they developed their practices internally, Deloitte found.

Organizations should first seek to understand the best practices and standards of their peers, and then look to regulatory bodies to inform their strategies, Deloitte analysts wrote.

SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)

Some 30% of respondents said they did not use a defined set of product cybersecurity requirements, while only 28% said they use an industry defined framework, and 41% said they use a customer framework, indicating that there is a long way to go industry wide when it comes to adopting cybersecurity standards.

Here are five considerations for organizations seeking to implement security-by-design into IoT products, according to Deloitte:

  • Understand the current state of product security and develop a cyber strategy: Whether designing connected products or acquiring such products to implement internally, assess how products, including the data they produce, are protected, and develop a cyber strategy to drive improvement.

  • Establish security-by-design practices: Integrate security-by-design into the design of the product itself or into the design of the ecosystem architecture, through requirements, risk assessments, threat modeling, and security testing.

  • Set the tone from the top: Ensure the right people are engaged and have ownership of the process – from leadership to the relevant product security subject matter experts to the product teams.

  • Have a dedicated team and provide them with ample resources: Don’t expect enterprise security teams to cover missions without adding new resources for them; build a dedicated team that has product-based experience and provide training as needed to increase knowledge.

  • Leverage industry-available resources: Rather than developing and providing unique questionnaires to your device vendors, use publicly available industry resources.

For more, check out How to secure IoT devices: 6 factors to consider on TechRepublic.

Also see

Image: iStockphoto/ipopba