GSMA Intelligence’s Enterprise in Focus survey is out. It is our third annual survey, contacting more than 2,800 enterprises to capture their attitudes towards IoT. As a part of it, together with Pelion, we have also prepared a report which asked enterprises what they are thinking about and doing with IoT security.
The responses suggest enterprises are progressing on their IoT security journey, which is encouraging. For example, it is clear there is a level of appreciation of the importance of IoT security: the proportion of enterprises which have changed their security practices as a result of their IoT deployments has remained relatively unchanged, at around 85 per cent for the last two years. While the number is not going up, this is still progress, since enterprises used to perceive IoT security as an afterthought (or burden to bear) and treat it as a hygiene factor. In fact, our research also shows a shift in the reasons why enterprises have adapted their security practices to IoT deployments.
85 per cent of enterprises have changed their security practices. Why is this data point important? For the second year running, the proportion of enterprises which have changed their security practices as a result of their IoT deployments was around 85 per cent. We can be pessimistic that not every business is as security-minded as we want them to be. However, 85 per cent is still a significant majority of enterprises…and who ever thought 100 per cent was possible? But, why is this 85 per cent important? Because we can now say that a significant majority of enterprises care about IoT security enough to take steps to ensure they can rely on the IoT data to make business decisions. After all, if they cannot trust the integrity of said data, they cannot use it to make business decisions or automate work processes.
If enterprises say they have changed their security practices, what have they actually done?
For a start, unsurprisingly, more enterprises still indicate security features are the most important factor in their IoT solution purchasing decisions. The survey also revealed enterprises are more likely to build security features in their IoT solutions from what they are familiar with, of enterprise IT and cloud security. While this is not wrong (there is no wrong or right way), applying IT and cloud security to IoT only addresses part of the three common IoT threat scenarios. Across any IoT solution in any sector and application, the three common security attack scenarios are attacks to devices, cloud servers and the communications networks. We infer from the survey that while enterprises are increasingly aware of the importance of IoT security, they are still mainly fitting traditional IT/cloud security concepts to their IoT deployments. IoT security is more than IT/cloud security.
Why have enterprises changed their security practices? Are they changing because they have to do by law or are there other reasons? As the chart, below, illustrates (click to enlarge), there are a spectrum of motivations for making changes to security policies, with traditional compliance reasons on one end and an active goal on the other.
Why is it important to uncover the motivation behind enterprises’ behaviours? Because we can infer their security journey progress based on their stated reasons and actions. Let us examine the different reasons starting with the most active and aspirational reason.
61 per cent say they want to establish security leadership as their unique selling point. We categorise this as the most active reason because the enterprise is driven by the desire to demonstrate a security mindset throughout their processes and IoT deployments. This means the enterprise takes steps throughout its IoT deployment lifecycle so customers and suppliers can trust the data generated. In reality, of course, this goal is aspirational because we do not have many examples of enterprises which actually make this claim. Achieving this requires more concrete ways than simply changing existing security practices. It requires enterprises to apply IoT security needs to both IT and business requirements when making that IoT purchasing decision.
52 per cent say they want to protect reputation in case of incidents. When security incidents make it to mainstream (not industry) news, even regular readers know a company not only suffered a breach but also probably did not make their solutions as secure as they could. Zoom’s experience during the early days of Covid-19 (coronavirus) lockdown demonstrated how it protected its reputation by building trust with their customers. It first acknowledged it could have done more on security and privacy and then fulfilled a publicly communicated schedule of actions to remedy the situation. For IoT, the way to build that trust with customers and suppliers is for the enterprise to integrate IoT security needs with their overall security strategy and for the organisation to have a playbook in which to respond to security incidents throughout key organisational stakeholders. In reality, enterprises tended to extend IT security to IoT solutions, creating a blind spot with potentially severe economic implications. A good first step is therefore to ensure enterprises have visibility of their IoT deployments, from the status and health of the IoT connection to the device and application.
<50 per cent say they need to comply with regulations or customer and/or supplier requirements. We categorise this as being the most passive reason since the reason for change is because someone requires it. In the last two years alone, the UK, Australia and recently the US, have introduced IoT security-specific regulatory requirements. We expect regulatory pressures will only continue to accelerate when more countries adopt similar requirements. Where IoT devices are likely to be manufactured and activated in different territories, enterprises will find themselves with a more intense regulatory environment. We also expect increasing pressure from suppliers to demand enterprises along the value chain to demonstrate good security practices. We know IoT is not sector or even country specific. An ever-connected society made up of different IoT applications is reliant on data and requires every stakeholder to trust it. In this imminent future, it becomes more important that the average enterprise is able to demonstrate trust not only in its own practices but also throughout the lifecycle of the IoT solution.
What next for enterprises?
Our survey revealed enterprises have good intentions but have not always executed on those yet. To get them further on their security journeys, they need remember two immediate factors. First, IT security is not the same as IoT security. For example, simply taking what cloud vendors offer as IoT security may not be sufficient for their IoT solutions. Secondly, they might consider alternative approaches. To know what is happening in their IoT deployments is an important first step. To be able to monitor and remotely manage IoT devices in the field provides enterprises control. Even better is for enterprises to obtain optimal features in their IoT solutions with performance, cost and security in mind. Apply IoT security considerations to IoT deployments. Stop forcing IT security to address IoT security challenges.