Worldwide spending on the Internet of Things will total nearly US$773 billion this year, IDC has predicted.
The IoT will sustain a compound annual growth rate of 14.4 percent, and spending will hit $1.1 trillion by 2021, according to the firm’s forecast late last year.
Consumer IoT spending will total $62 billion this year, making it the fourth largest industry segment, after manufacturing, transportation and utilities. The leading consumer use cases will be related to the smart home, including home automation, security and smart appliances, IDC said.
Cross-industry IoT spending, which encompasses connected vehicles and smart buildings, will gobble up $92 billion this year, and will be among the top areas of spending for the next three years.
IoT growth will get a boost from new approaches coming from firms such as China’s Tuya Smart, for example, which combines hardware access, cloud services, and app development in a process that lets manufacturers transform standard products into smart products within one day.
Shadow IoT Devices on Enterprise Networks
One third of companies in the U.S., the UK and Germany have more than 1,000 shadow IoT devices connected to their network on a typical day, according to a recent Infoblox survey of 1,000 IT directors across the U.S., the UK, Germany and the UAE.
The reported shadow IoT devices included the following:
- Fitness trackers – 49 percent;
- Digital assistants such as Amazon Alexa and Google Home – 47 percent;
- Smart TVs – 46 percent;
- Smart kitchen devices such as connected microwaves – 33 percent; and
- Gaming consoles – 30 percent.
There were 1,570 identifiable Google Home assistants deployed on enterprise networks in the U.S. as of March, according to the Infoblox survey. There were 2,350 identifiable smart TVs deployed on enterprise networks in Germany, and nearly 6,000 identifiable cameras deployed on UK enterprise networks.
Shadow IoT devices are devices connected to the company network but not purchased or managed by the IT department, according to Infoblox.
“Often IoT devices are added to the network without the direct knowledge of IT,” noted Bob Noel, director of strategic relationships and marketing for Plixer.
“Companies need to pay attention to the deployment of IoT devices, which are regularly put online with default passwords, legacy code riddled with known vulnerabilities, and a lack of defined policies and procedures to monitor them, leaving companies extremely vulnerable,” he told the E-Commerce Times.
More than 80 percent of organizations surveyed said security was the top consideration in IoT purchase decisions, said Brent Iadarola, VP of mobile & wireless communications at Frost & Sullivan.
However, “the unfortunate reality today is that unknown assets and unmanaged networks continue to exist in enterprise networks and are often overlooked by vulnerability scanners and solutions that monitor network changes,” he told the E-Commerce Times.
Still, “we have started to see some movement towards integrated IoT security solutions that offer end-to-end data collection, analysis and response in a single management and operations platform,” Iadarola noted.
Security for the IoT
“IoT security is highly fragmented and many devices are vulnerable,” observed Kristen Hanich, research analyst at Parks Associates.
“There are a large number of devices out there with known weaknesses that can easily be exploited by commonly available attacks,” she told the E-Commerce Times.
Most of these devices won’t receive protective updates, Hanich said, and “as most IoT devices are put in place for years or even decades, this will lead to hundreds of millions of vulnerable devices.”
Cybercriminals have been launching newer and more creative attacks on IoT devices, either to compromise them or to leverage them in botnets.
For example, Wicked — the latest version of the Mirai botnet malware, originally released in 2016 — leverages at least three new exploits.
A new version of the “Hide-and-Seek” botnet, which controls more than 32,000 IoT devices, uses custom-built peer-to-peer communication and multiple anti-tampering techniques, according to BitDefender.
“We should be preparing ourselves for many years of attacks powered by IoT botnets,” Sean Newman, director of product management for Corero Security, told the E-Commerce Times.
Cost is a problem with IoT security, Parks Associates’ Hanich noted. “Security must be built-in from the onset, which takes time and effort. It also requires regular maintenance and updates after selling the devices, potentially for many years.”
Many device makers are skipping security to keep their prices down, she pointed out, as security “does not drive unit sales of their products.”
Medical Devices and IoT Security
The IoT’s healthcare component includes connected medical devices and consumer wearables such as smartwatches and fitness trackers.
Medical device manufacturers increasingly have been incorporating connectivity to the Internet, but 53 percent of healthcare providers and 43 percent of medical device manufacturers don’t test their medical devices for security, noted Siddharth Shah, a healthcare industry analyst at Frost & Sullivan.
Few have taken significant steps to avoid being hacked, he told the E-Commerce Times.
Network-connected medical devices “promise an entirely new level of value for patients and doctors,” said Frost & Sullivan healthcare industry analyst Kamaljit Behera.
However, “they also introduce new cybersecurity vulnerabilities that could affect clinical operations and put patient care at risk,” he told the E-Commerce Times.
“The perceived risk from connected medical devices within the hospital is high, but steps are now being taken to prevent attacks,” said Frost’s Shah. “Still, there’s lots to be done.”
The risk to enterprise networks of being hacked through consumer healthcare-related devices “isn’t a big issue,” according to Greg Caressi, global business unit leader for transformational health at Frost & Sullivan.
“Personal devices are not commonly connected to private corporate networks other than healthcare IT vendors,” he told the E-Commerce Times.
Google and Apple have been leading the charge of smart devices into the healthcare realm, with other companies, such as fitness device manufacturers, following suit.
Security Risks in a Technology-Driven World
Technology has certainly changed how the world works, influencing almost every aspect of modern life. But while modern technology undeniably brings a number of advantages across multiple sectors, it also has its share of downsides. The inter-connectivity that ties all devices and systems to the internet has invited malicious forces into the mix, exposing users and businesses to a wide range of threats. How do you stay safe and secure?
From the comforts of home (the tech in your home)
Your mobile phone’s alarm wakes you up in the morning, but you get up to check updates from your social media network. News and updates used to come via the morning paper and conversations over the phone. More than a decade later, scanning social media feeds is the new norm for a lot of people.Home appliances like televisions and air conditioners can now be controlled using your phone via an app, and it is just one of the many examples of IoT technology reaching the market. Alexa, Amazon’s voice control system that powers the wireless speaker called Echo, allows users to search the Web, shop online, get weather reports, and control smart-home products without having to use a remote or phone. Reports say that over 24 million voice-enabled machines were shipped in 2017, and the growth shows no sign of stopping.
Meanwhile, other IoT-powered devices are designed to eliminate regular configuration or setting. Smart thermostats can automatically regulate temperature, while smart fridges are capable of informing users whenever supplies are low.
Out on the Road
When you leave home for work, the thought of commuting comes with a feeling of dread because of expected traffic and pollution. Modern transportation network companies like Uber and Lyft found a way to increase the per capita utility of a car, reduce congestion and carbon emission, and eliminates the need for parking spaces. The power of interconnectivity has provided car-sharing and car-pooling services an online platform that connects passengers to commercial drivers, which makes life more convenient for people who commute to work.Smart traffic management already exists in some cities. Smart traffic management requires a centralized system to control traffic lights and sensors that regulate traffic throughout a city, optimizing traffic flow and reducing waiting time for pedestrians who want to cross streets.
At the workplace, biometric systems such as fingerprint scanners and facial recognition systems are being utilized for employee verification. Obscuring knowledge-based passwords to securely enter the office is just one of the many uses of biometric authentication. It’s also seeing increasing patronage among industries and governments across the globe with its integration in smartphones, adoption of biometric systems by government facilities, and the rising use of biometric technology in financial and critical sectors, among others.
Security Technologies for the Financial Sector
For financial institutions, keeping an ever-stronger security posture has become a necessity, but the technologies that support web security change as rapidly as the threats. Even an institution that thinks it has solid web security tools and practices in place needs to periodically reassess them to keep pace.
Several core IT security controls must be included in any robust solution to provide multi-layered security. Having multiple layers of security is more important than ever because no single security tool is effective against most threats.
UNIFIED THREAT MANAGEMENT
UTM technologies bundle several security capabilities into a single network-based device to protect both web servers and web client devices. UTM capabilities include firewalling, intrusion detection and prevention, virtual private networks, anti-malware and web content filtering. These functions are all critical for any modern IT environment, and by bundling them into a single device, greater performance and lower costs can be achieved. Examples of UTM technologies include Palo Alto Networks’ PA-5000 series, Cisco Systems’ Adaptive Security Appliance and Fortinet’s Unified Threat Management solution.
These solutions are similar to UTM technologies in that they bundle multiple security capabilities into a single product, but endpoint security solutions are software-based and are targeted toward user devices, such as desktop and notebook computers, smartphones and tablets. Symantec Endpoint Protection, Trend Micro Enterprise Security for Endpoints and McAfee Total Protection for Endpoint are examples of products in this space.
Typical capabilities offered by endpoint security solutions include anti-malware functions, firewalling, and intrusion detection and prevention. Because they are host-based, not network-based, endpoint security solutions travel with the device, so they can protect it from threats no matter where the device may be used, including external environments that do not provide network-based security controls. Keeping web client devices “clean” of malware and other forms of attack is key to reducing web server and application compromises caused by leveraging user access.
WEB AND EMAIL SECURITY
Dedicated devices or server add-ons can examine web and email traffic for suspicious or malicious content and handle this traffic appropriately. It may not be immediately obvious that email security is necessary for web security, but many of the attacks that involve malicious web activity are initiated through malicious emails. Examples of email security gateways are Cisco’s Email Security Appliance, Proofpoint’s Enterprise Protection and McAfee’s Email Protection. Web security gateways include Cisco’s Web Security Appliance and McAfee’s Web Gateway.
ENCRYPTION OF DATA AT REST
Most financial institutions are well aware of the need to encrypt sensitive data in transit over unprotected networks, but it is increasingly important to encrypt sensitive data at rest (on storage) as well. Banks and credit unions have a wide variety of enterprise storage encryption products to choose from. While they all provide the same basic encryption and key management functionality, these tools support encryption of different kinds of storage. Some products support endpoint encryption only (for example, hard drives or removable media), while others also support encryption on file shares, cloud storage and other network-accessible locations. Examples of products that possess this functionality include Sophos SafeGuard Enterprise Encryption, the Symantec Encryption family, RSA Data Protection Manager and McAfee Complete Data Protection (for endpoints only).
Vendors such as RSA and 2FA provide a variety of software and hardware-based products for enterprise authentication services. These services support web security because they enable the use of diverse authentication methods, including multifactor authentication with cryptographic tokens, smart cards and biometrics. Using multifactor authentication greatly reduces the chances that an attacker can steal a legitimate user’s credentials and reuse them. Some enterprises choose to use multifactor authentication for administrators only, while others have moved toward multifactor authentication for all internal users
The Dismal State of Healthcare IoT Security
The healthcare industry has been moving toward medical equipment connectivity to speed up data entry and recording, as well as improve data accuracy. At the same time, there has been a shift toward incorporating consumer mobile devices, including wearables, so that healthcare providers can monitor patients’ health more closely and improve treatment.
“The demand for connected devices has increased rapidly in recent years,” noted Leon Lerman, CEO of Cynerio.
“The number of connected medical devices, currently estimated to be approximately 10 billion, is expected to increase to 50 billion over the next 10 years,” he told the E-Commerce Times.
Worldwide, consumer interest in smart wearables — those from Apple, Fitbit and various fashion brands — has been growing, according to IDC.
Wearables sales in Q1 exceeded 25 million units. Sales of smart wearables in that period were more than 28 percent higher year over year, while sales of basic wearables fell by about 9 percent.
The smarter devices from major brands such as Apple and Fitbit incorporate more sensors and improved algorithms, and have access to historical underlying data, noted Jitesh Ubrani, senior research analyst for IDC mobile device trackers, which makes them useful for monitoring user health.
Wearable makers increasingly have been incorporating cellular connectivity into their products, leading to the emergence of new use cases. About one third of all wearables sold in Q1 included cellular connectivity.
Apple has been pushing deeper into healthcare with the Apple Watch, which connects wirelessly with an iPhone.
Fitbit has partnered with Google on a range of enterprise and consumer health solutions.
Further, medical equipment manufacturers increasingly have been incorporating connectivity into their products.
However, connecting wearables to networks comes at the cost of increased security risks.
“With the number of IoT and connected devices being used within hospitals constantly increasing and diversifying in their nature, the exposure to potential devices is great,” Cynerio’s Lerman noted.
Such devices range from MRI machines to insulin pumps, and “the sheer number of devices in a single hospital also means that staff are often unaware of threats, so breaches can go undetected,” he pointed out.
Network-connected medical devices “promise an entirely new level of value for patients and doctors, but they also introduce new cyber security vulnerabilities that could affect clinical operations and put patient care at risk,” Kamaljit Behera, healthcare industry analyst at Frost & Sullivan, told the E-Commerce Times.
Last year, 75 percent of healthcare organizations experienced a cybersecurity incident, noted Frost & Sullivan healthcare industry analyst Siddharth Shah.
Attitudes toward cyber security have been mixed, however. Seventy-one percent of the healthcare organizations that responded to an HIMSS survey last year indicated they had allocated a budget for cyber security, Shah told the E-Commerce Times.
However, based on the firm’s research, 53 percent of healthcare providers and 43 percent of medical device manufacturers “do not test their medical devices for security, and few are doing anything about being hacked,” he said.
“Some improvement” in cybersecurity is expected this year, Shah said. The healthcare industry “is gradually moving from a reactive approach to a proactive one, but there’s still lots to be done.”
Hospitals’ IT security budgets are relatively low, Lerman pointed out. So, hospitals “have a relaxed security posture, with unsecured connected medical devices being the golden ticket for hackers.”
Patient data is “valued at approximately 10 times the value of a standard credit card,” he remarked.
The lure of riches has spurred hackers’ creativity, observed Sean Newman, director of product management at Corero Network Security.
“Evidence of continued cybercriminal investment and innovation … reinforces the need for organizations requiring continuous Internet availability to deploy the latest generation of real-time, automatic DDoS protection solutions,” he told the E-Commerce Times.
There already are cybersecurity frameworks in use at hospitals, Shah said.
Further, the United States government has been working to improve the situation: The U.S. Food and Drug Administration has published a medical device safety action plan, for example. It also collaborates with the U.S. Department of Homeland Security on medical device cybersecurity issues.
Wearables Are Low Risk
The risk from wearables is low level, “assuming the healthcare entity is segmenting the data flow from remote personal healthcare devices into a separate data repository and not their electronic health records,” said Greg Caressi, global business unit leader for transformational health at Frost & Sullivan.
That’s the “more likely architecture” to be adopted for both analytics and security purposes, he told the E-Commerce Times.
The increasing trend toward consumerism in healthcare has given rise to a new debate, said Frost’s Behera, over whether to make individuals the actual owners of their data, with sole access control to promote interoperability.
“It’s a great vision,” said Behera, “but the bigger question is, how well are individuals prepared, equipped and educated to protect access to their health data on their smartphones or their home Internet networks?”
A Possible Healthcare Security Strategy
Each device maker implements its own security solutions, and the medical device industry “is struggling to take what they’ve learned and apply it,” noted Rod Schultz, chief product officer at Rubicon Labs.
What’s needed is a paradigm shift, he told TechNewsWorld.
Every connected medical device maker should not attempt to reinvent the cybersecurity wheel, Schultz said. Instead, they all should rely on mobile phones, which are “the natural cornerstone of security for a connected medical device.”
Finding a way for mobile phones to do as much of the heavy cybersecurity lifting as possible “will work — but will require device makers to concede and cooperate with Apple, Google, Microsoft and Amazon,” he pointed out.
“Standardization may eventually spin out of this,” Schultz suggested, “but in the short and medium term, looking for a halo of security from the biggest mobile device and cloud providers seems like a viable security strategy.”