IoT Security 101: From Device to Cyber Insurance to Ecosystem Collaboration

How are the dynamics of IoT security changing and how will this impact you, your family and your business?

I was delighted to host a roundtable discussion on exactly this and now available here - exploring the true cost of insecurity for digital transformation, brand reputation, the bottom line and beyond. We also explore whether cross-ecosystem collaboration holds the key to a more secure, confident and connected future – and a sneak peak, we believe this is a resounding Yes! sharing multiple examples of what this ‘looks like’ in practice.

And our stellar panel very much represented this ethos of inclusive co-creation and diversity of experience coming together to tackle critical challenges, comprising of David Maidment, PSA Certified; Tim Davy, Cyber Specialist, Munich Re; Veena Dholiwar, Department for Department for Digital, Culture, Media & Sport (DCMS); Madeline Carr, UCL and Elisa Costante, Forescout Technologies. Our conversation was divided into core pillars and here I share some ‘knowledge nuggets’ from the discussion.

The State of Security - What’s Changed?

Over the last 18 months we have seen a heightening of security threats impacting right across SME to Enterprise. A number of different risk vectors have combined including heightened digital transformation with an explosion of IoT device adoption across hybrid uses, the data volume surge, expanded technology convergence, increasing IT/OT integration, supply chain complexity, the acceleration in sharing personal information online at a scale, speed and consistency never seen before, bad actor collaboration…. the list just goes on.

And by exploring just one of these change examples in more detail, the contagion effect takes centre stage. Ofcom estimates that in 2016 there were 13.3 million IoT connections in the UK with 5.7 million consumer electronics and fast moving consumer goods, including consumer wearables, household electricals and smart home devices. By 2024, this is estimated to increase to some 39.9 million connections! The time is clearly now to re-evaluate what security and the cost of insecurity really means.

“We’re living in the age of convergence, with different technologies coming together, which creates new opportunities but it can also expand threat vector areas. Embedding trust is now the biggest currency of our time’’. Prof Sally Eaves, Chair of Cyber Trust GFCBYBER

The Cost of Insecurity versus Investment in Security!

Based on recent UK research the average cost of a successful cyberattack is £3,230 (Vodafone Business 2021) but the cost goes far beyond the financial to broader issues of brand reputation, customer retention and new consumer acquisition - it’s a business resilience and continuity imperative! Ultimately embedding security by design is pivotal to the bottom line today, and increasingly to securing competitive advantage tomorrow. With this multi-level risk scenario the time is now to create more value by advancing an IoT security approach that focuses on prevention above cure necessitating a top down business level approach, deploying services at scale. As part of this, a focus on the significant physical risk element is also vital and affects organisations of all sizes, yet often remains underexplored.

‘One of the new risks is that the IoT brings the capacity to have effects in the physical world. To change something in the physical world and with that we introduce a new load of liability that we haven’t considered within the world of cybersecurity.” Madeline Carr, UCL.

And moving beyond this, we also explore the latest developments in the chip industry and components, barriers to security implementation across the value chain, the evolving economics of IoT and the path to advance beyond cost-per-unit - reflecting the trajectory of cybersecurity laws which mandate an ever more robust device-level security. This also moves us naturally onto our next pillar thematic!

Cyber Insurance and the IoT: Mitigating Risk

The cost of cybercrime is rising and is set to reach $6.5 Trillion this year globally, with costs of $10.5 Trillion Annually By 2025 according to recent research by CyberSecurity Ventures. Indeed, this cost explosion has even resulted in the Lloyd's Market Association releasing four new ‘cyber war and cyber operation clauses’ for members to adopt in their insurance policies. Alongside the heightened rate of technology change and evolved consumer behaviours and expectations, the level and scope of regulation, security, compliance and governance requirements for organisations is expanding too, with geographical differences adding to the complexity. With this ever changing and insecure risk landscape, how can organisations best evaluate risk and identify liability? We deep dive into Cyber Insurance, the IoT and ways to mitigate risk, including around certification and quantification – and a reminder that this can all be viewed in full here for all the insights!

“Knowing what good looks like is very important - having standards and regulations in place is very important as it puts a yard stick in place and sends everyone in the right direction” Tim Davy, Munich Re

3 Keys to Change: Trust, Education, Collaboration

Alongside data, trust is probably the most important currency of our time. Indeed, recent research by Edelman who have been benchmarking dimensions of trust for over 17 years shows changes in societal perceptions, notably that there is typically greater trust in business today than governments or even NGOs – this brings to the fore the criticality of organisations using their ‘sphere of influence’ for meaningful impact, especially in key areas such as security. The continuum of transparency, commitment, ownership and accountability is central here, especially in areas of risk complexity:

“We typically associate a vulnerability to a product. When you find a vulnerability within a product you go and say you are vulnerable because you are running this component.

But the vendor of the product is not always the same as the manufacturer of that component- so who is liable? Who should start securing those products?” Elisa Costante, Forescout Technologies.

Supporting all of the above, enhancing education and awareness around security risks is vital, especially in two areas. Firstly, SME’s, where an eye watering 65% have suffered a cyberattack across 2019-20 compared to 46% of all businesses (Towergate) and furthermore they are attacked repeatedly too! SMEs suffering a breach are being hit an average of 6 times each within that period – a staggering once every two months! (NatWest). Phishing, social engineering and supply chains are key risk areas, coupled with misconceptions around protection – as an example, many SMEs believe incorrectly that cybersecurity controls are included in the IT products they have purchased and that no additional security measures are needed, unless mandated by compliance requirements or regulations (enisa 2021). Secondly, and a key focus area of the UK’s Department for Department for Digital, Culture, Media & Sport (DCMS), we have the Consumer grouping where similar issues on awareness emerge.

“1 in 5 consumers already check security; however we found that a high number of consumers expected that a high level of security was already built into a device.” Veena Dholiwar, Department for Department for Digital, Culture, Media & Sport (DCMS)

Looking ahead, collaboration is clearing the path forward to address the range of often interconnected issues we have discussed, and across local, national and international perspectives too. Cybersecurity doesn’t stop at a border, whether within a data packet, device, data centre, network or geographical location! And this could not be more pressing when we consider the growth of bad actor collaboration globally too.

“Fragmentation is the friend of the bad actors” David Maidment, PSA Certified.

Whilst there is no uniform solution and no one party can be held responsible for delivering a more secure IoT - the connected future we are starting to build depends on it. Let’s come together to build a contagion of positive and co-creative change in this vital area. One example of this is the approach of PSA Certified – more information can be found here.

And finally, just a reminder that to learn more insights into the barriers currently hindering the potential of IoT and to dive deeper into how organisations, industry, government and consumers alike can align together to collaborate and build greater trust and ecosystem assurance in today’s increasingly connected world, the full webinar is available to view now here. All follow-on questions most welcome!

About The Author

Dr. Sally Eaves is a highly experienced Chief Technology Officer, Professor in Advanced Technologies and a Global Strategic Advisor on Digital Transformation specialising in the application of emergent technologies, notably AI, Security, IoT, Cloud and 5G disciplines, for business transformation and social impact at scale. An international Keynote Speaker and Author, Sally was an inaugural recipient of the Frontier Technology and Social Impact award, presented at the United Nations and has been described as the ‘torchbearer for ethical tech’ founding Aspirational Futures to enhance inclusion, diversity and belonging in the technology space and beyond. Sally is also Chair of Global Cyber Trust at GFCYBER.