IoT and a Growing Attack Surface
There is no doubt that the IoT brings with it tremendous opportunities to deliver more and richer data to drive operational efficiency and smart decision making. But as IoT devices proliferate, they also increase the overall attack surface and expose organizations to additional threats. It has always been clear that it is far more cost-effective to implement good data security during the design phase of any product or system, and exponentially more expensive to fix it after there’s been a breach. Even though IoT security has been commonly recognized for years as one of the key barriers to successful IoT implementation, many management boards have yet to make the necessary investment in it. So how does a product manager or security officer justify the business case for implementing the right level of IoT data security from the start?
Now thanks to new research released from the Ponemon Institute and IBM this month, those costs can now be quantified based on the real-life experience of 477 different companies who have gone through data breaches themselves, and the scope and cost of the problem can be better understood. In summary, the bad news is that the implementation of IoT devices has indeed increased the attack surface and the overall cost of recovery from data breaches, but the good news is that organizations implementing robust data encryption and incident response services have significantly lowered the cost of those breaches. Let’s look at some of the highlights in more detail.
IoT Data Breach Trends 2017-2018
More than 2000 IT and compliance professionals whose companies had suffered data breaches over the past 12 months were interviewed for the study.
- They reported that the total cost of an average customer data breach was a staggering US$3.86 million.
- That’s a year-over-year cost increase of 6.4%
- The average cost per stolen consumer record of $148.
- For healthcare, that figure skyrockets to a whopping $408 per lost or stolen patient record.
- Companies making extensive use of IoT devices saw the average cost per stolen customer record increase incrementally by $5, suggesting indeed that deploying IoT devices can tangibly increase the risk of data loss.
That said, organizations who had taken proactive measures to encrypt most of their data (whether coming from their IT or IoT infrastructure) saw the average cost per stolen record adjusted down by $13, while those who had strong incident response (IR) capabilities – either in-house or with trusted third-party cybersecurity experts – were able to generate another $14 savings per stolen record. That suggests that an organization employing both capabilities might save more than 18% on the cost of a data breach. That means a savings of $700,000 on an average breach. And the survey further shows that companies who have had a single material breach have a 27.9% chance of suffering from an addition breach within the following two years, driving the breach costs (but also the potential savings of good security) even higher.
But we have now also entered the era of the “mega-breach”, according to the report. Ponemon measured for the first time the impact of breaches of between 1 and 50 million records and showed that they had a cost of $40 million and $350 million respectively. When companies invest in IR and encryption technologies for this type of volumes, the savings generated run far into the millions of dollars. How many records do you have and what would be the total costs to you of such a breach if your company were to suffer one? That’s important to know and contributes directly to your IoT and cybersecurity business case.
Justifications Beyond Data: the Kudelski Group Analysis
But even with this excellent justification for IoT security investment, data breaches are only one potential factor that should be considered as part of the overall business case. Our experience at the Kudelski Group is that devices can also be compromised if not properly protected and could by hijacked by botnets designed to launch distributed attacks on popular websites or services. They could also be hacked to provide false data to their owners, which in the case of industries like power, health care and energy could cause serious productivity, availability, fraud, damage or – even worse – safety issues. The same is true in reverse, where unauthorized commands mistakenly accepted by insufficiently protected devices could cause them to behave in ways that are dangerous – think automotive, aviation and smart buildings. These device security scenarios must also be considered when creating the business case for IoT security but were not the subject of this study.
All the elements discussed so far fall under the category of “risk mitigation”, and while they are very compelling and must be considered, IoT also brings great promises of new features, new business models and operational efficiencies that positively and directly impact the bottom line. Organizations should rightly include (realistic) forecasts for value that IoT will add to the business over the long term. When all these factors are combined, we believe that the justification for a management board to invest in the proper design and implementation of robust, sustainable IoT device and data security as well as managed security and incident response services is overwhelming. And that’s why some of the world’s most recognized and security-conscious brands are already working with us to secure their connected futures.