In-brief: Fewer than one in five managers say their company is ready for the challenge of securing the Internet of Things, and global consulting firm McKinsey says that CEOs need to get a plan, fast.
Fewer than one in five managers say their company is ready for the challenge of securing the Internet of Things, and global consulting firm McKinsey says that CEOs need to get a plan, fast.
More than three-quarters of managers surveyed said Internet of Things security is a top priority but just 16% said their company was “well prepared” to address IoT security risks, McKinsey reported this week. The firm advised chief executive officers to assess the impact of Internet of Things and IoT related risks on their business and their industry fast, while also figuring out how to work with the security community before they get caught out.
Information security -once the purview of the IT department – is poised to become a “pervasive issue” in both corporate operations and on corporate networks, McKinsey concludes.
With the IoT, security challenges move from a company’s traditional IT infrastructure into its connected products in the field. And these challenges remain an issue through the entire product life cycle, long after products have been sold. What’s more, industrial IoT, or Industry 4.0, means that security becomes a pervasive issue in production as well. Cyberthreats in the world of IoT can have consequences beyond compromised customer privacy. Critical equipment, such as pacemakers and entire manufacturing plants, is now vulnerable—meaning that customer health and a company’s total production capability are at risk.
As its source, McKinsey cited a survey of some 400 managers from the U.S., Germany, the U.K. and Japan, finding that awareness of the Internet of Things far outstripped preparations for its arrival.
“Companies are ill prepared at every step of the IoT security action chain (predict, prevent, detect, react),” he said. That was especially true of the ability to predict IoT threats, where just 16 percent said they were well prepared to predict them. More than one-third of companies reported they lacked a cybersecurity strategy that also covers the IoT. The rest have some sort of strategy but many report struggling to implement it, McKinsey said.
Senior management isn’t ready to “act now” on IoT security, McKinsey found. “Few leaders have made the business case for a specific IoT security strategy that would, in turn, make the effort a priority and trigger the allocation of sufficient resources.” That may be due to a fast-evolving IoT space and the complexity of the IoT compared to traditional enterprise networks. Does responsibility of cyber security rest with makers or suppliers? And, within industries like manufacturing, there is a lack of cyber security knowhow and expertise. On the corporate IT side, there is a lack of operational know how needed to adapt security measures to OT environments.
To be ready to address IoT risks, CEOs need to figure out how IoT technologies will impact their industry and the “points of vulnerability” that will create for their organization.
Beyond that, companies need to invest heavily in supply chain security, McKinsey concludes: coordinating with “upstream and downstream business partners” – both suppliers and customers – to “sort out responsibilities for security along the entire supply chain.” That might involve players at each layer of the stack: from silicon and networking equipment providers to application developers.
Finally, McKinsey channels security community icons such as Katie Moussouris of Luta, advocating for a ‘front door’ (Katie’s term, not theirs) for security researchers to report issues with a company’s products. “Companies need to implement a single, visible point of contact for IoT-security-related notifications or complaints,” McKinsey said.
Check out the full report here: Six ways CEOs can promote cybersecurity in the IoT age | McKinsey & Company