Gartner predicts that 4.9 billion connected things will be in use by the end of this year, up 30 percent from 2014, and will reach 25 billion by 2020. This expansion will boost the economic impact of the Internet of Things (IoT) as businesses, city authorities, hospitals and other entities find new ways in which to exploit the technology, the firm predicts.

Security professionals will be challenged to secure the IoT, so not surprisingly several experts addressed the topic at the recent Information Systems Security Association International Conference in Chicago.

"We are losing this [the security] battle," said Vint Cerf, Google vice president and Internet evangelist, during his opening keynote presentation about cybersecurity. Drilling down to IoT security, he cited several challenges that need to be overcome to ensure security.

IoT and Software Updates

As IoT comes of age, consumers could have a couple of hundred smart devices in their homes, including thermostats, refrigerators, televisions, radios and numerous other devices. Even if these devices are all secure at the time of installation, they will need software upgrades to keep them running as expected. 

"The last thing that we need are devices that are not updatable," Cerf said. "We know the update software will have bugs."

Buggy software has been a security issue for decades, Cerf said. "If there are bugs, someone could have 100,000 refrigerators attacking Bank of America." On a more serious note, he added, "We need to do something about bugs and about downloadable malware."

IoT in the enterprise and in homes will force companies to make strategic choices related to how information security is integrated into these ecosystems, said Demetrios Lazarikos, chief information security officer of vArmour.

Securing IoT from Outset

Devices will need to be secure at the outset, he stressed, because continuous patching would lead to its own set of safety and device failure issues.

"Security needs to be driven from the top down,"  Lazarikos said, adding, "You need to consider what type of data is being stored on these devices."

While it is valuable to have a smart HVAC unit inform a company when it needs to change a filter, there is no reason for that same device to store any sensitive information, he said.

IoT providers need to make it easy for people to follow good security practices, Cerf said.

Some IoT providers might count on cyber liability insurance to protect them against losses due to security flaws in their devices, but such thinking is short-sighted, Lazarikos said. "Cyber liability insurance is not a silver bullet. Most insurers will put some type of cap on it. If there is a $250 million liability cap and a breach results in $1 billion in liability, you have to cover the other $750 million."

Security of IoT devices needs to be scalable and extensible, with continuous monitoring and alert capabilities, Lazarikos said.

A good way to see just how secure an IoT device is to hack it yourself, advised Nick Percoco, vice president, strategic services, Rapid7.

Phillip J. Britt's work has appeared on technology, financial services and business websites and publications including BAI, Telephony, Connected Planet, Independent Banker, insideARM.com, Bank Systems & Technology, Mobile Marketing & Technology, Loyalty 360, CRM Magazine, KM World and Information Today.