As the IoT moves toward the core of digital business, the integration of security domains will likely introduce game-changing hazards. But, some organizations have executed an integrated IoT cybersecurity program.

In fact, PwC issued its new (4th) installment recently of The Global State of Information Security (GSISS) Survey 2017 –Uncovering the potential of the Internet of Things – focused on how organizations are addressing cybersecurity and privacy for converged technologies. Grant Waterfall, PwC US Cybersecurity & Privacy Deputy Leader, sat down with Inside Counsel to discuss the report and how the right cybersecurity and privacy safeguards can help businesses optimize the promise of IoT.

Until recently, a cybersecurity exploit leveraging the IoT was a theoretical concept. That changed one morning last fall, when an army of IoT devices carried out a massive Distributed Denial of Service (DDoS) attack on Dyn, a Domain Name System provider. Hundreds of thousands of compromised IoT devices, including cameras, webcams and routers, hit Dyn's headquarters with a DDoS attack that leapfrogged around the world, taking down major websites in its wake. By that afternoon, cybersecurity for the IoT had quickly escalated from an esoteric information security discipline to mainstream news. Suddenly, IoT security and privacy had become a new business priority.

Risks of future compromises will very likely increase as connected devices proliferate, according to Waterfall. In fact, Gartner, Inc. forecasts that 8.4 billion connected things will be in use worldwide in 2017, up 31 percent from 2016, and will reach 20.4 billion by 2020”. Approximately one-quarter of respondents to The Global State of Information Security® Survey 2017 report exploits of IoT components like operational technologies (OT), embedded systems and consumer devices.

“As the IoT moves toward the core of digital business, the integration of security domains — IT, OT and consumer technologies — will likely introduce game-changing hazards,” he explained. “These potential risks include disruption in the information flow among connected devices, physical interference with equipment, impacts on business operations, theft of sensitive information, compromise of personal data, damage to critical infrastructure and even loss of human life. Yet few organizations have executed an integrated IoT cybersecurity program, largely because implementation standards or frameworks have been slow to emerge for the platform.”

Beyond security, many privacy issues surround IoT implementation, related to the collection, storage and use of data flows of information acquired through the use of IoT devices. When the collection and use of IoT data includes personal information, or if the information collected can be used to paint a picture of an individual's activities, businesses must then consider the privacy risks associated with processing this data. Since IoT security and privacy is a nascent discipline, most businesses lack the expertise and resources to design, deploy and operate a program on their own.

Still, many are starting to take action on the security and privacy fronts, according to Waterfall. This year, 35 percent of GSISS respondents said they have an IoT security strategy in place, and an additional 28 percent are implementing one. Additionally, 46 percent of respondents said they will invest in security for the Internet of Things over the next 12 months. They plan to fund initiatives such as development of new data-governance policies, device and system interconnectivity and vulnerability, employee training and uniform cybersecurity standards and policies.

So, how are organizations addressing cybersecurity and privacy for converged technologies?

“It's good news that organizations are beginning to address cybersecurity and privacy for converged technologies, but much remains to be done,” he said. “Those that take proactive steps to implement an integrated IoT cybersecurity and privacy program will be better prepared to manage inevitable future risks and create new products and services that can transform business models.”

The IoT is poised to upend business models, disrupt economies around the world, and deliver unprecedented conveniences to society. An integrated cybersecurity and privacy program is key to realizing potential advantages as the Internet of Things unfolds. At the end of the day, businesses that align IoT product and systems development with emerging cybersecurity standards and safeguards will have a head start realizing advantages on the interconnected platform of tomorrow.

Many businesses are deciding that the opportunities of the IoT are simply too compelling to ignore, according to Waterfall. They see the emerging platform as a catalyst of change, a vehicle to boost competitive advantages, increase operational efficiencies and create new revenue streams. But, the trouble is, many are jumping into the IoT before they implement cybersecurity safeguards. He said, “The lack of IoT standards is a significant hurdle, but it is not insurmountable.”

“Given the sprawl of cybersecurity technologies deployed across organizational ecosystems, we would advocate that enterprises begin the dialogue now with their technology product partners regarding the path forward to identifying, securing and managing data produced or transacted on by an IoT capability,” said Shawn Connors, Principal, PwC. “We believe that many organizations will find that existing enterprise-class technologies are going to be quickly extended to manage and protect the flow of data within and across IoT networks.”

A cybersecurity program for the IoT does not necessarily require wholesale purchase of new technologies and solutions. Instead, organizations can start by integrating core IT cybersecurity safeguards with their IoT infrastructure. Some forward-thinking businesses are employing Enterprise Security Architecture (ESA) to build IoT security that is baked into architectural components across domains.

“To be most effective, training should be tailored to the individual company's threats, response-readiness and processes. Fostering a culture of security will be most effective when executive leaders proactively articulate the importance of a secure business environment,” explained Waterfall. “Organizations need to set the tone from the top, making security training really about enabling the company's digital future. They then need to tie training to the purpose of the company and design awareness programs around that.”