Insecurity affects us all, whether we own several smart home devices, hundreds of connected cameras, or thousands of industrial sensors. In fact, a report by Cybersecurity Ventures estimates that cybercrime will cost the world more than US$6 trillion annually by next year. And as the number of global connections scale, bringing with them a myriad of new markets and verticals for hackers to exploit, that number is only set to accelerate.
Security should be the bedrock of digital transformation and the connected world we’re beginning to build. But in the most part, it is still perceived as a cost, rather than a value. Manufacturers are quick to under-invest in security in favour of reducing time-to-market, or driving innovation, while glaring gaps in best practice security design and implementation remain. The question is, what risks is this exposing and at what price?
With consumers, businesses and Government now mandating more robust device-level security and the cyber risk landscape becoming ever more complex, it’s time to adapt the economics of security away from cost-per-unit and towards having a security baseline to protect against the most common hacks.
An economic challenge
The foregone revenue to firms faced with a cyber attack can reach into hundreds of thousands of dollars. Mid-market companies surveyed by Grant Thornton reported losses of up to 25% of their revenue following a cyber attack, while digital platform security provider Irdeto predicts that the estimated cost of an attack on IoT devices currently stands at $330,000.
Zoom out to a global level and the predicted cost of cybercrime damages is likely to reach a staggering $10.5 trillion by 2025.
But the true cost of insecurity transcends far beyond the bottom line and financial metrics. The reputational risk a data breach poses, along with the indelible threat to customer confidence and trust that comes with it is a growing source of concern.
Over half (58%) of those surveyed in our 2021 PSA Security Report expected their reputation to be damaged by a cyber attack. And with reports suggesting that 8% of Dyn’s customer base stopped using its services following a DDoS attack in 2016, reputational impact can quickly translate into a loss of customers, revenue and investment.
Add to that the cost of restoration and investigations, coupled with the huge strain on resources required to repair from a cyber incident, and the case for shifting IoT security from a hygiene factor to a headline feature has never been stronger.
Carriers to IoT security
Security is a never solved problem; it takes time, resources and considerable expertise to implement. So with many businesses challenged to determine and quantify the cost of security failure upfront, it is often reserved for those organisations with the greatest capital to invest.
Our 2021 PSA Security Report showed that over half of respondents (52%) consider the additional cost of security to be a top barrier to implementation, while ‘uncertain ROI’ and a ‘lack of buy-in’ was cited as a blocker to ongoing security investment for 54% of those surveyed. These figures were higher still for smaller firms with a lack of in-house expertise and bandwidth to invest continually in security.
Manufacturers remain driven by cost per unit as a metric of success and the need for upfront capital presents a clear barrier when it comes to IoT security. But prioritising security is about more than just damage limitation; it can also be a point of competitive differentiation that builds consumer trust. 93% of tech decision-makers in our report believe security can be a differentiator in the IoT marketplace and a further 42% believe that best practice security makes them look good as an organisation.
Prevention over cure
As the threat landscape becomes increasingly complex, security needs to be valued for what it really is: an opportunity for competitive advantage and a catalyst for digital transformation. Consumers are waking up to the realities of an insecure world, and there’s a growing expectation and regulatory requirement for security to be built into every product. Such security is not something that can simply be added at a network layer, but should be considered by design from the chip through to the cloud in order to enable trusted deployment at scale.
Embracing a secure-by-design approach that puts a Root of Trust at the foundation of IoT security not only establishes an important baseline of security from the outset, but is more cost effective than bolting on security as an afterthought.
Modern IoT ecosystems are inherently complex. There’s no one size fits all cybersecurity solution that can protect any IoT deployment, which is why the industry needs to work together to establish best practice and build a common foundation for security. Embracing easy-to-use frameworks, evaluations and certifications, and closing security gaps with threat modeling are crucial ingredients. OEMs can reuse certificates saving money and resources, and expertise can also be shared widely across the value chain. Along with alignment to legislation and standards, this can help to democratise IoT security and provide a real solution to the business and cyber security challenges of building trust in the IoT.
Cyber insurance is also likely to play an important part in the future of IoT, helping businesses to deploy at scale while managing the risk of security breaches. In order for insurers to better model the inherent likelihood of an attack – and provide the necessary capital to underwrite those risks – we’re likely to see insurers mandating that companies source equipment for their digital transformation supply chain that has demonstrably followed security best practices, such as PSA certified. This widespread adoption of security best practice in connected devices will bring the confidence to deploy at a scale that businesses and consumers are looking for.
The connected future we’re starting to build is entirely dependent on a secure IoT, and the cost of failing to build trust and assurance in the ecosystem spans far beyond organisational risk. If IoT security is to fulfil its potential as the bedrock of digital transformation, it’s time to create a secure-by-design culture that builds security into the heart of the devices from the outset.
David Maidment is Senior Director of Secure Device Ecosystem at Arm. David has over 25 years of experience in the embedded and connectivity industry. He specializes in the intersection between security and IoT. Arm is a co-founders of PSA Certified – a four-step process to build in the right level of device security. Arm remains and active co-founder of PSA Certified and is involved in providing architecture specifications, security resources, and IP to make IoT more secure.
