Internet of Things (IoT) is one of the fastest growing trends in technology with 30 billion IoT devices estimated to be operational by 2020. However, according to new research from nCipher Security, an Entrust Datacard company, many enterprises in Hong Kong fail to prioritize IoT security. This results in greater vulnerability to increasingly dangerous and widespread cyberattacks.
The 2019 Global PKI and IoT Trends Study, conducted by the research firm Ponemon Institute and sponsored by nCipher Security, is based on feedback from more than 1,800 IT security practitioners in 14 regions, including over 300 respondents in Hong Kong.
PKI plays a strategic role for enterprises to embrace new digital initiatives: cloud, mobile usage, and IoT
Public key infrastructure (PKI) is the set of hardware, software, policies, processes, and procedures required to create, manage, distribute, use, store, and revoke digital certificates and public keys. It enables the use of common technologies such as digital signatures and encryption. For many organizations, PKI is a strategic part of their IT backbone, enabling them to embrace new digital initiatives, such as cloud, widespread mobile device usage, and, of course, IoT.
IoT is one of the fastest-growing trends driving PKI application deployment, which has grown 20% over the past five years. In Hong Kong, the top three most important trends driving the deployment of applications using PKI are consumer mobile usage (53%), IoT (50%), and cloud-based services (45%). This compares with global drivers including SSL certificates (79%), private networks and VPNs (69%), and public cloud-based applications and services (55%).
PKI security practices have not kept pace with growth in application deployment
In the next two years, an average of 42% of IoT devices in use will rely primarily on digital certificates for identification and authentication. Despite this, encryption for IoT devices, and for IoT platforms and IoT data repositories, is at just 28% and 25% respectively, according to nCipher’s 2019 Global Encryption Trends Study.
Furthermore, global and Hong Kong respondents both cited the altering function of IoT devices through malware or other attacks (68%; 79%) and the remote control of devices by unauthorized users (54%; 45%) as the top IoT security threats. However, instead of addressing these two risks directly, the average respondent rated protecting confidentiality and integrity as the most important IoT security capability. The discrepancy might indicate that many enterprises are not aware of the IoT security mechanisms available to protect against malware, such as using code-signing and secure-boot, and against the remote control of IoT devices, e.g. banning default passwords and adopting strong device authentication.
Respondents also see significant technical and organizational barriers to PKI usage in three key areas, the inability to change legacy applications (46%), insufficient skills (45%) and resources (38%). The numbers are even more striking in Hong Kong, where 60% of respondents state that existing PKI is incapable of supporting new applications, 50% say they do not have the ability to change legacy applications, and 48% say they have no pre-existing PKI in place.
“PKI application is evolving as organizations address digital transformation across their enterprises. In addition to IoT, more than 40% of global respondents also cited cloud and mobile initiatives as driving PKI use,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Clearly, the rapid growth of IoT is having a huge impact on the use of PKI, as organizations realize that PKI provides core authentication technology for connected devices. For organizations to gain full advantage of their digital initiatives, they must continue to improve the security maturity of their PKIs in a world of increasing cybersecurity threats.”
“The scale of IoT vulnerability is staggering. The International Data Corporation (IDC) recently forecasted that there will be 41.6B connected IoT devices by 2025, generating at least 79.4 zettabytes of data,” said Michael Tai, head of sales, Greater China at nCipher Security. “There is no point in collecting and analyzing IoT-generated data, and making business decisions based upon it, if we cannot trust the security of the devices or their data. Building trust starts with prioritizing IoT security practices, such as implementing PKI, that counter top IoT threats. After all, insecurely connected devices can be a conduit for leakage of personal information and the creation of an unwanted digital trail.”
Other key findings for Hong Kong:
- The top five most important IoT security capabilities in next 12 months in Hong Kong are: 1) device authentication; 2) monitoring device behavior and delivery of patches and updates (tied); 3) protecting confidentiality and integrity of data and device discovery (tied).
- Hong Kong has a stronger preference for externally managed service CA vs the corporate CA model (63% vs 54%) – different from the global trend. The lack of PKI expertise or talent in the city might be account for this, given the higher security awareness among enterprises.
- Asia Pacific uses PKI for device authentication at a highest rate than any other region (60%), mostly driven by the accelerated adoption of AI, IoT and cloud technologies in the region over the past few years.