Connected and Vulnerable : Deloitte Shares Top Five Tips for IoT Device Security

As cyber attacks on connected devices increase, Deloitte introduces its state-of-the-art Cyber IoT Studio to research, test and architect technologies for security solutions.

With the number of connected Internet of Things (IoT) devices anticipated to swell beyond 41 billion by 2025 according to a forecast from IDC estimates and the number of cyber attacks on such devices growing exponentially by the day, organizations should put security at the forefront of their priorities around IoT solutions. In an effort to help organizations shore up their security postures, Deloitte offers five tips to address IoT security in the products that organizations deploy in their environments and encourages manufacturers that make connected products to take a secure-by-design approach.

From cameras to toothbrushes, thermostats to hospital infusion pumps, connected devices are actively being targeted by cyber adversaries determined to compromise corporate and individual privacy, construct botnets, place malicious software and steal intellectual property.


Sean Peasley, partner, Deloitte & Touche LLP, and IoT security leader for Deloitte cyber risk services said, The risk of compromise to a connected device is too great to ignore and often too late to reactively respond to. Organizations should adopt a proactive, secure-by-design approach while strategically and intentionally working to monitor and patch outdated legacy equipment, software and infrastructure.

California is leading the charge with a new Internet of Things Security Law taking effect on Jan. 1, 2020, requiring all IoT devices sold to be equipped with reasonable security measures. Consequently, organizations should prepare and protect their companies, customers and communities. The benefits of IoT connectivity far outweigh the investment in cyber measures to ensure the integrity of the devices, networks and programs.

IoT device security best practices

1. Take note of every endpoint added: The expanse of IoT increases with every endpoint added into a network. This adds more vulnerabilities and has become a more popular and destructive cyber attack. While the adversarial landscape is always changing, Deloitte advises organizations to bring as much of their endpoint footprint under their security management in order to better secure the attack surface. Industry analysts predict that spending on IoT endpoint security solutions will be more than $630 million in 2021. Once these devices are managed, integration of security tools can be a more effective security focus for the organization. As with most domains within cybersecurity, security professionals realize that in order to meet the complex security challenges of their organizations, they should formulate a sound security strategy and constantly evolve by making continuous improvements to best mitigate their risks.

2. Align operational technology, IT and security: In addition to IoT, enterprises are managing multiple digital transformation initiatives simultaneously. Yet, according to the “Deloitte Future of Cyber” study, less than 10% of cyber budgets are allocated to these efforts. For companies to be successful with IoT initiatives, they need a new approach. One that helps them understand enterprise and cyber risks; develop a plan to prioritize and mitigate those risks; and then operationalize these efforts by obtaining alignment across key stakeholders: operational technology, IT and cybersecurity. Peasley adds, “IoT spans operational environments as much as it includes wearables, connected cars and products. Organizations should proactively plan for how to identify, track, patch and remediate around how it all could impact their organizations and ecosystems.”

3. Know the players in your ecosystem: Since the interconnectivity of third-party hardware, software or services may be the source of a security breach, it’s imperative to consider how a covered device interacts with such third parties. Ideally, contracts with third, fourth, and fifth parties should address security updates and concerns. Organizations should establish a third-party risk management program to evaluate the cyber risks of their third parties and supply chain partners.

4. Employ AI and ML to detect anomalies that humans can’t: You can’t prevent what you don’t know about. Artificial intelligence for IT operations (AIOps) has grown from an emerging category to an IT necessity. AIOps platforms are uniquely suited to establish a baseline for normal behavior and detecting subtle deviations, anomalies and trends. This is significant as IoT turns much of the physical world into robots powered by AI. Organizations should take both a secure by design (DevSecOps) approach in tandem with an AIOps approach to both prevent and identify cyber attacks.

5. Conduct vulnerability assessments on devices: As cyberattacks continue to grow, organizations should have confirmation that their connected devices — and the environment in which they’re deployed — have been designed, built and implemented with security in mind. Whether through basic testing or a bug bounty program, testing can provide assurance around the security posture of an organization’s devices.

Deloitte’s Cybersphere is a state-of-the-art destination to help organizations explore their most pressing cyber challenges. The Cybersphere features a 24/7 threat monitoring and reconnaissance “Watch Floor,” and labs designed for cyber teams to increase capabilities and confidence as they face ever-evolving cyber threats. It also features a Cyber IoT Studio where organizations can test the security of their connected devices on their networks to help identify whether their most critical assets are secure.

Deloitte’s Cyber IoT Studio provides:

  • Technical testing services for IoT devices — from autonomous cars and connected medical devices, to industrial control systems, building automation and smart cities.
  • A center of excellence that provides leading practices for device security testing and certification readiness methods.
  • An environment and secure location in which to test, analyze and pilot proprietary technology.
  • Diverse IoT ecosystems to architect and test heterogeneous technologies for a multitude of industry-specific, use-cases with the latest security and control solutions for on-premise and cloud integrations.