There is no shortage of warnings about the need to improve security for the Internet of Things:
- The Guardian asks “Can we secure the internet of things in time to prevent another cyber-attack?”.
- The New York Times calls for “Stepping up Security for an Internet of Things world”.
- Technology Review reports that Security Experts Warn Congress That the Internet of Things Could Kill People”.
- Fortune outlines Why Businesses Need to Secure Connected Devices to Win Consumer Trust”.
- After the (at the time) record distributed denial of service attack, Brian Krebs analyzes “Who Makes the IoT Things Under Attack?”.
Certainly these messages must be raising concerns in organizations that are working on Internet of Things projects.
But it doesn’t seem so.
In our recent research at MIT Sloan Management Review, we found that only 34% of the respondents felt that they needed to improve their IoT data security. If you are trying to decide if the glass is full or empty, that glass seems two-thirds empty to me.
The research included responses from 1,480 executives, managers, and IT professionals working in a wide variety of industries. It focused on the perspective of organizations, not security professionals, and tried to understand their challenges and opportunities associated with the Internet of Things.
One optimistic interpretation of these results is that the reason the 66% are not concerned about IoT data security is that they have heeded the warnings and have taken steps to reduce security concerns. But we also asked respondents about how effective their organizations were at security for IoT data. Figure 1 shows the relationship between concern for IoT data security and the organization’s perceived data security effectiveness. Reporting of a need to improve IoT security changed little with the perceived effectiveness.
An alternative, more pessimistic interpretation is that organizations need to improve IoT security, but that it is not an important concern. Instead, in order to take advantage of IoT, respondents felt more need to improve their overall analytics capability (58%), analytics talent (52%), IoT specific talent (49%), executive team’s understanding (46%), ability to communicate with customers (45%), and relationships with other groups who understand IoT (40%). In fact, need for improvements in data security (34%) and sensor-data security (27%) were selected less often than any other option we gave respondents to choose from. And in this scenario, respondents could select as many as they felt described their organization, without cost.
Our respondents had a variety of experience with IoT projects. It could be that those who are not active may not yet be aware of potential security issues. Given that most organizations are not yet active with IoT projects, our results could be driven by those inactive organizations. Figure 2 examines organizational concern for IoT data a security as they gain experience with IoT. Concern is higher for organizations active with IoT with some drop as they gain further experience. But it seems that inactive organizations are not solely responsible for the low overall need to improve IoT data security.
While IoT security is inherently important, it may be even more salient when combined with another key result from our research—business value from the Internet of Things is related to the amount of data sharing between customers, suppliers, and even competitors. As organizations find value in sharing data with other organizations, they are likely to increase connections with other organizations, leading to increased potential for negative externalities.
Unfortunately, the low perception of need to improve IoT data security coupled with increased IoT deployments and interconnections between organizations seem likely to lead to more headlines that report on IoT security downfalls, not fewer.