Hollie Hennessy, Principal Analyst, IoT Cybersecurity, Omdia
November 6, 2024
4 Min Read
COMMENTARY
A broad array of Internet-connected devices have become a part of our lives, whether the mobile devices that we use daily, the Internet of Things (IoT) devices often spread throughout our "smart" homes, or even the medical devices that help provide us care when we need it.
These devices are now a fixture of our lives, professionally and personally. Unfortunately, they bring with them a countless number of cybersecurity challenges.
Consumers Must Watch for Insecure Devices, Scams
Historically, home IoT devices in particular have been neglected when it comes to cybersecurity. Security was rarely a concern for consumer device makers.
However, we've seen positive movement by governments globally, offering up new guidelines and regulations to facilitate better security of these products for consumers. In October alone, the Cyber Resilience Act (EU) was adopted by the council, and Australia announced its Cybersecurity Bill 2024, which proposes new security guidelines for smart devices.
That said, consumers should be aware that manufacturers might not yet be doing the best they can regarding cybersecurity. Cheap devices sold on online marketplaces often are riddled with vulnerabilities, despite looking like a good deal. Fortunately, once a number of promising new and proposed regulations take effect in many regions, this will no longer be the case — but for now, consumers must still largely look out for themselves.
Related:Any IoT Device Can Be Hacked, Even Grills
Scams are one of the most common cybersecurity issues for consumers, and IoT and mobile devices can make these scams easier to perpetrate. Mobile devices have put everything in the palm of our hand, even our financial transactions; a seemingly legitimate mobile application or a well-timed smishing message can do great harm. Consumers should be wary of anyone telling them to download an application or take any other unusual action, especially if they are asking for payment without receiving any services.
For example, in Singapore, millions of dollars are lost to scams — whether through social engineering, or malware-enabled. Scams have proliferated social media too, including Facebook, Instagram, and LinkedIn. While the government, banks, and device makers are working to address issues like this, consumers must practice vigilance throughout daily life.
IT-OT Combination Is Emerging Issue
For enterprises, even though information technology and operational technology (IT and OT) security are generally handled separately, Omdia believes a holistic strategy incorporating both will be increasingly important.
Organizations are also increasingly relying on IoT and other cyber-physical devices — many of which fall into critical national infrastructure sectors such as energy, transport, wastewater, and healthcare. Often, IT security tends to get a lot of focus, but it's the entire landscape, including IoT and OT, and the gaps in between that need to be adequately secured.
Enterprises will increasingly be affected by regulation as well. October also saw the deadline for European Union member states to implement the NIS 2 Directive — which is intended to enhance the security and resiliency of networking and information systems in the EU — into national law. Requirements are broadly focused on reporting, accountability, risk management, and business continuity, with minimum requirements spanning these categories, such as incident response planning, cybersecurity training, and tooling such as multifactor authentication and employee and asset access.
Despite regulatory burdens, Omdia's research suggests that cybersecurity maturity — at least for cyber-physical assets — isn't quite where it needs to be. Omdia's 2024 Cybersecurity Decision Maker Survey revealed that only 37% of organizations are confident that their business could continue to operate efficiently in the event of a cyber-physical system compromise, yet around a third do not have an adequate strategy for securing IoT devices.
Device Manufacturers Facing Major Strategic, Operational Adjustments
For device manufacturers, it's time to start thinking about how to adapt to an evolving regulatory environment. Even small manufacturers hoping to sell into regulated regions will need to adhere to cybersecurity requirements — setting up the product security teams, processes, and supporting technology will take a significant period of time. Collaborating effectively between product security and cybersecurity teams is no mean feat.
Considering the software and firmware element of product security also will be key. This will require new and enhanced communication between engineering and cybersecurity teams, alongside DevSecOps processes. Omdia's research suggests that consumers see security as a purchase driver for IoT devices, so it's best to start to ensure devices are secure sooner rather than later.