While the IoT's rise over the last few years has brought a wide range of benefits to organisations, it has also left them even more vulnerable to cybersecurity attacks and created a widening attack surface.
It is vital that organisations implement a security-by-design approach for designing and deploying IoT and products, the report recommended. This approach involves incorporating cybersecurity practices by default into the product's design, as well as into the environment in which it is implemented.
Security-by-design saves time and reduces costs by fixing security issues the first time around when building a product. In a poll of more than 4,200 professionals across industries and positions, nearly half (48%) said that when developing or deploying connected products or devices, it is imperative that DevSecOps is embedded throughout the lifecycle, and teams work with legal, procurement, and compliance across deployments.
According to Deloitte, here are the top 10 security risks created by the current IoT environment.
- Not having a security and privacy program
- Lack of ownership/governance to drive security and privacy
- Security not being incorporated into the design of products and ecosystems
- Insufficient security awareness and training for engineers and architects
- Lack of IoT/IIoT and product security and privacy resources
- Insufficient monitoring of devices and systems to detect security events
- Lack of post-market/ implementation security and privacy risk management
- Lack of visibility of products or not having a full product inventory
- Identifying and treating risks of fielded and legacy products
- Inexperienced/immature incident response processes
Currently, there is a long way to go industry-wide when it comes to adopting cybersecurity standards as Deloitte's statistics show. Only 28% of respondents saying that they use an industry defined framework.
Deloitte has suggested five considerations for organisations who are seeking to implement security-by-design into IoT products. They are as follows:
Have a dedicated team and provide them with ample resources: Don't expect enterprise security teams to cover missions without adding new resources for them. Build a dedicated team that has product-based experience and provide training as needed to increase knowledge.
Leverage industry-available resources: Rather than developing and providing unique questionnaires to your device vendors, use publicly available industry resources.
Understand the current state of product security and develop a cyber strategy: Whether designing connected products or acquiring such products to implement internally, assess how products, including the data they produce, are protected. Develop a cyber strategy to drive improvement.
Establish security-by-design practices: Integrate security-by-design into the design of the product itself or into the design of the ecosystem architecture, through requirements, risk assessments, threat modelling and security testing.
Set the tone from the top: Ensure the right people are engaged and have ownership of the process – from leadership to the relevant product security subject matter experts to the product teams.