The Troubling State of IoT Application Security

Towards the end of 2016, as everyone was summarizing the highest highs and the lowest lows of the year and attempting to foresee what directions 2017 would take, IoT was hailed (again) as one of the top trends. Business and tech forecasts were guesstimating that 2017 was going to be the year that the Internet of Things would (finally) take over all aspects of our daily lives: at home, at work, and in transit. Businesses and organizations were also encouraged to update their business models and leverage IoT to drive revenue. Now that we’ve arrived at mid- 2017, it seems that while IoT is, in fact, spreading across all industries and organizations – 2017 may be the year IoT security arrives at the forefront – and it’s about time.

Reducing Enterprise Application Security Risks:

More Work Needs to Be Done

Anyone connected to the internet will probably agree that all those prophets of tech had done their homework. IoT is impacting industries on a global scale, in pretty much every area: agriculture, government, healthcare, the automotive industry and public transportation, robotics, utilities – the list goes on and on. The diverse technological innovations around IoT connectivity are continually evolving – but are security policies and practices keeping up with that pace?

With Great Connectivity Come Greater Risks

A recent study by Ponemon Institute on Mobile and Internet of Things Application Security revealed how unprepared many companies are when it comes to risks caused by vulnerabilities in IoT apps, and how much concern that brings to all professionals involved. The study surveyed nearly 600 IT and IT security professionals that are familiar with their organization’s security practices during the development lifecycle of IoT applications.

The study shows that many organizations are worried about an attack against IoT apps that are used in the workplace, but despite their concern they felt that their organizations are having a difficult time securing IoT apps, and aren’t mobilizing against the threat. While 75% of respondents said they knew that the use of IoT apps increases security risk significantly, and 70% of respondents were very concerned about the use of insecure IoT apps in the workplace, nearly half said they are taking no steps or were unsure if their organization was doing anything to prevent such an attack.


According to the results, the rush to get products out to market and satisfy the market needs often take precedence over security concerns: 62% of the respondents rated end-user convenience when building and deploying IoT apps in the workplace as important considerations, and only 30% of respondents said their organization allocates sufficient budget to protect IoT devices. Many estimated that motivation to invest in security would only rise in the event of a serious security incident, new compliance requirements or news of a serious hacking incident affecting another company.


Only 20% of IoT Apps Tested

Most respondents pointed to a lack of quality assurance and testing procedures for IoT apps: 80% of IoT applications aren’t tested at all. They said testing is ad hoc, if done at all, even though when many of the IoT apps that are tested – contain significant vulnerabilities. In addition, when testing is performed, it’s usually not before the production phase.


Time to Put IoT Security First

These results are extremely troubling. As investment in IoT development continues to grow exponentially, and technologies will continue to become a bigger part of our lives, it’s important that organizations focus on security and mitigating the threats to code and data security. IoT solutions incorporate software and devices from different organizations, not to mention the prominence of open source projects in the IoT landscape. They include a variety of languages and protocols. It’s critical to put procedures and policies and tools in place, from the very beginning of the application development cycle, to ensure all components are secure. A comprehensive process that addresses security from the start of the product design process, tending to all aspects: system level security and data security management needs to become a priority.