Survey calls for minimum security standards for IoT products

  

The IOActive IoT Security Survey, conducted in March 2016, revealed that nearly half (47%) of all respondents felt that less than 10% of all IoT products on the market are designed with adequate security. However, 63% of respondents felt the security in IoT products is better than in other product categories.

While the IoT era of products brings innumerable advances and modern conveniences to the lives of consumers, the connected nature of these products creates unintentional ports to other sensitive and critical systems, data, and devices. When security is insufficient in even seemingly harmless household appliances, wearables, or other IoT products, it presents endemic vulnerabilities and risks.

“Consensus is that more needs to be done to improve the security of all products, but the exponential rate at which IoT products are coming to market, compounded by the expansive risk network created by their often open connectivity, makes IoT security a particular concern and priority,” said Jennifer Steffens, chief executive officer for IOActive. “According to Gartner, 21billion connected things will be in use by 2020. It’s important for the companies that develop these products to ensure security is built in; otherwise hackers are provided with opportunities to break into not only the products, but potentially other systems and devices they’re connected to.”

The survey also showed that 72% of respondents believe security not adequately designed into products is the single biggest challenge facing IoT security. A majority of the security professionals surveyed also felt that uneducated users and user error (63%) and data privacy (59%) were challenges to IoT security.

As remedies to these challenges, respondents looked to minimum security standards and enforcing mandatory product recalls, updates, or injunctions as the two most effective means for improving IoT product security. Additionally, 83% believe that public disclosure of vulnerabilities on its own is not enough, and that some form of regulatory action would be more effective.