EXECUTIVE SUMMARY:

As our world of devices becomes even more connected, in and out of offices, IoT security becomes a greater concern. With more accountability for cybersecurity landing on those at the helm, CEOs are under more pressure to ensure the security of their organizations. To learn more about how prepared companies are for the challenges posed by IoT, consulting firm McKinsey conducted a survey. Below are their key findings, as well as six recommendations for the road ahead.

Key Findings

75 percent say IoT security is important or very important, yet only 16 percent say their company is well prepared for the challenge. McKinsey believes three factors contribute to this disconnect:

• Lack of prioritization
• Unclear responsibility
• Lack of standards and technical skills

Recommendations

McKinsey recommends six actions for CEOs to guide their organizations to success:

1. Understand what IoT security will mean for your industry and business model. Use cybersecurity as a business advantage versus an evil necessity.
2. Set up clear roles and responsibilities for IoT security along your supply chain. That means making sure upstream and downstream business partners are aligned and clear on their responsibilities–whether suppliers, customers, or some other element of the supply chain.
3. Engage in strategic conversations with your regulator and collaborate with other industry players. Work with industry leaders–and competitors–to establish standards and share information and intelligence.
4. Conceive of cybersecurity as a priority for the entire product life cycle, and develop relevant skills to achieve it. That means embedding security from the get-go, when designing and developing a product, all the way through manufacturing and even post-sales, with patching. Security is not a one-and-done situation. As Check Point Vice President of Products Dorit Dor said in a Cyber Talk  article a few months ago, “Not all IoT devices are built the same. Some can have inherent flaws that are known, making them easy targets, from a hacker’s perspective. For instance, there could be a problem with the operating system or the software. Perhaps the device wasn’t designed or implemented correctly.
   Outside of a product recall, some devices don’t even have any update capabilities. Or, they weren’t designed with security in mind to begin with—leaving them prone to future attacks.”
5. Be rigorous in transforming mind-sets and skills. Leaders must lead by example, and help build a culture that respects and reinforces strong cybersecurity principles.
6. Create a point-of-contact system for external security researchers and implement a post-breach response plan. Make it easy for the white hat hackers to let your organization know about newly discovered bugs. More importantly, take time to clearly map out an effective response plan with the chain of actions and responsibilities should a breach occur.

Read the full story at McKinsey.