An IOActive IoT Security Survey revealed that nearly half (47%) of all respondents felt that less than 10% of all IoT products on the market are designed with adequate security. About 85% believe that less than half of IoT products are secure. However, 63% of respondents felt the security in IoT products is actually better than in other product categories – which the survey said is a sobering revelation of the state of security sentiment for categories such as software, computing hardware, and medical devices, etc.
“Consensus is that more needs to be done to improve the security of all products, but the exponential rate at which IoT products are coming to market, compounded by the expansive risk network created by their often open connectivity, makes IoT security a particular concern and priority,” said Jennifer Steffens, chief executive officer for IOActive. “According to Gartner, 21 billion connected things will be in use by 2020. It’s important for the companies that develop these products to ensure security is built in; otherwise hackers are provided with opportunities to break into not only the products, but potentially other systems and devices they’re connected to.”
“Companies often rush development to get products to market in order to gain competitive edge, and then try to engineer security in after the fact. This ultimately drives up costs and creates more risk than including security at the start of the development lifecycle,” Steffens concluded.
The survey showed that 72% of respondents believe security not adequately designed into products is the single biggest challenge facing IoT security. A majority of the security professionals surveyed also felt that uneducated users and user error (63%) and data privacy (59%) were challenges to IoT security.
As remedies to these challenges, respondents looked to minimum security standards and enforcing mandatory product recalls, updates, or injunctions as the two most effective means for improving IoT product security. Additionally, 83% believe that public disclosure of vulnerabilities on its own is not enough, and that some form of regulatory action would be more effective.