As connected devices continue to blend the physical and digital worlds in exciting new ways, the potential cannot overshadow the risks and vulnerabilities. Product designers, equipment manufacturers, and businesses adopting IoT technology must work together to understand and address the challenges of securing these devices at scale.
That’s why Keyfactor and Vanson Bourne conducted an independent survey and analysis that examines the state of IoT security for both manufacturers and end users. The report, “Digital Trust in a Connected World: Navigating the State of IoT Security,” reveals concerns and challenges modern businesses face when establishing digital trust in today’s connected world.
The report includes insights from 1,200 professionals across North America, EMEA, and APAC, representing organizations in manufacturing, IT, telecom, energy, oil and gas, retail, construction, financial services, and many more.
It also examines key factors contributing to the vulnerability of organizations using IoT and connected devices, including the rapid explosion of connected devices, the cost of inadequate cyber defense, and the complexity of where liability lies for successful cyber breaches.
In this blog, we’ll examine some of the most profound findings.
Responsibility for device security may be mixed
48% of respondents believe the manufacturer of IoT or connected devices should be mostly or completely responsible for cyber breaches on their products.
With so many IoT devices being deployed in highly personal settings (i.e., the home), breaches feel like more than a breach. For the consumer, it feels like a violation, which creates damning headlines and negative perceptions in the market.
When it comes to blame, perception is often reality. Customers of device manufacturers will take their business elsewhere, even if they could have done more to prevent a vulnerability.
6% of responders said that blame depends on the breach.
The truth perhaps lies in the nuance of this 6%.
It isn’t one party that owns the entire responsibility of security. Security can no longer be an afterthought in the design of the product. Many respondents said that manufacturers are obligated to release security patches and cover any known vulnerabilities or flaws. Even end users share some of the responsibility. They need education on secure practices when using and setting up IoT devices.
Current solutions aren’t addressing the totality of IoT challenges
93% of organizations use PKI solutions to manage certificates and issue digital identities, yet 97% face challenges in securing their IoT and connected products.
This begs the question: are organizations using the wrong methods or the wrong tools to secure IoT devices?
Organizations may not be sure. Over half of respondents agreed that their organizations lack the awareness and expertise to secure IoT devices against attacks, and many admitted that they don’t necessarily understand what being fully protected from cyber attacks would entail.
Vendor support will be crucial in defining security goals for IoT device designers and manufacturers, especially as organizations report different priorities that they seek from vendor partners. Flexibility, cost savings, and visibility of certificates ranked highly. However, cost savings was the top objective for OEMs, while flexibility ranked highest for organizations using IoT devices.
Vendors and organizations must be very clear about the pain points they need to solve, and how the solution can meet their needs.
Attacks and outages come with high stakes
98% of organizations have experienced certificate outages in the last 12 months, and OEMs whose manufacturing lines were impacted by certificate outages suffered a 12-month loss of $2.25 million on average.
The report found that as device numbers and usage scale, so does the friction involved with them, prompting organizations to seek solutions that address them. Nine out of 10 respondents said they would benefit from using a certificate lifecycle automation platform to manage certificates.
Smaller organizations (with employee counts between 500 and 4,999) are feeling the most urgency to solve the manual burden of certificate lifecycle management. Not only do these organizations suffer more from associated challenges like time savings and reducing their internal workload, but they are also less likely to possess the in-house skills to manage certificates properly.
Cybersecurity breaches: current and future impacts
There are plenty of wild stories about IoT devices being hacked. Over the past few years, a number of incidents have made the news, from the infamous hackers that breached a casino through a connected fish tank thermometer, to Google’s Nest security cameras suffering a breach that gave intruders access to live video feed and microphone functions.
As IoT devices go more mainstream, finding their way into personal everyday settings, a breach means more than some exposed data. To consumers, a breach — whether to a connected device in their home or to a brand they know and trust —feels like a violation. As such, these incidents will become more public and generate more negative sentiment in the market.
Take MGM Resorts’ cyberattack in September 2023 — it disrupted the casino’s operations and is expected to cause a $100 million hit to its third-quarter results. In addition to the financial fallout, the private data of customers who used MGM services before March 2019, including contact information, gender, date of birth and driver’s license numbers, was compromised and undoubtedly diminished guests’ trust.
Clorox released a sales report from Q3 of 2023 that showed an alarming hit to the company’s profits due to a cyber attack that took place in August. As of October, Clorox’s physical production systems still hadn’t fully recovered from the attack. The company expects a significant year-over-year sales decline due to the incident.
Examples like those are a reminder that IoT devices have a foot in the real, physical world and stand to cause financial and reputational harm to companies and pose a host of other risks for consumers if they become compromised. According to the report, 89% of organizations that operate and use IoT products faced cyber attacks in the past 12 months, to the tune of $250,000 on average. Of these organizations, 69% reported an increase in cyber attacks on their IoT devices over the past three years.
Governments will soon begin taking steps to help consumers discern which products are secure. For example, in 2021, U.S. President Biden’s executive order on Improving the Nation’s Cybersecurity included plans for a consumer labeling program for IoT devices. That label — the U.S. Cyber Trust Mark — debuted in July 2023. Even though compliance with the label’s criteria is optional, it is being embraced by Amazon, Google, Best Buy, and other heavy hitters. Whether by regulation or the will of the market, a time is coming when the security of a connected device will matter in the eyes of a non-technical consumer.
Read the full report
The proliferation of IoT devices is changing how organizations operate and how consumers interact around the world. It’s exciting to see such innovation unfold. At the same time, organizations are under growing pressure to protect their IoT and connected devices while navigating an increasingly complex digital landscape that requires complete trust.
The findings of Keyfactor’s report reiterate the importance of identity-first security for those who manufacture IoT devices and those who deploy and operate them in their environment to establish digital trust at scale.
Don’t wait for a security breach to act — learn how to bolster IoT security now. Access the full report here.
Subscribe to The Source, Keyfactor’s identity-first security newsletter, to get helpful resources and insightful perspectives from cybersecurity leaders delivered to your inbox every month.