As digitization has risen on the executive agenda, cybersecurity skills and processes in most companies have also advanced, though at a slower pace. But rapid growth in the Internet of Things (IoT) is changing the game. Cybersecurity is more relevant and challenging than ever, and companies need to build capabilities in this area—quickly.
IoT holds great potential to help companies improve their products and services or increase production efficiency by harnessing sensors and actuators that seamlessly connect objects to computing systems. No wonder, then, that many companies are bringing more and more devices, products, or production systems online. Conventional estimates suggest we could reach 20 billion to 30 billion connected devices globally by 2020, up from 10 billion to 15 billion devices in 2015. However, as devices proliferate, the security risks will increase sharply. Historically, risking the confidentiality and integrity of information was the prime concern compared with any risk regarding availability. In the IoT world, lack of availability of key plants or—even worse—tampering with a customer product becomes the dominating risk. How can CEOs and senior executives hedge against that threat?
The challenge of cybersecurity in the Internet of Things
With the IoT, security challenges move from a company’s traditional IT infrastructure into its connected products in the field. And these challenges remain an issue through the entire product life cycle, long after products have been sold. What’s more, industrial IoT, or Industry 4.0, means that security becomes a pervasive issue in production as well. Cyberthreats in the world of IoT can have consequences beyond compromised customer privacy. Critical equipment, such as pacemakers and entire manufacturing plants, is now vulnerable—meaning that customer health and a company’s total production capability are at risk.
The sheer number of cybersecurity attack vectors increases dramatically as ever more “things” are connected. Earlier, a large corporate network might have somewhere between 50,000 and 500,000 endpoints; with the IoT, we are talking about millions or tens of millions of endpoints. Unfortunately, many of these consist of legacy devices with inadequate security, or no security at all.
This added complexity makes the IoT a more difficult security environment for companies to manage. Those that succeed, though, could use strong cybersecurity to differentiate themselves in many industries.
To explore views on the relevance of and companies’ preparedness for IoT security, McKinsey conducted a multinational expert survey with 400 managers from Germany, Japan, the United Kingdom, and the United States. The results indicate a yawning gap between perceived priority and the level of preparedness:
- Of the IoT-involved experts surveyed, 75 percent say that IoT security is either important or very important, and that its relevance will increase. But only 16 percent say their company is well prepared for the challenge (Exhibit 1). The survey also indicated that low preparedness is often linked to insufficient budget allocated to IoT cybersecurity.
- Our interviews revealed that companies are ill prepared at every step of the IoT security action chain (predict, prevent, detect, react). Especially weak are prediction capabilities; 16 percent feel well prepared, compared with 24 to 28 percent on prevent, detect, and react.
- More than one-third of companies lack a cybersecurity strategy that also covers the IoT. The rest have some sort of strategy but many report struggling to implement it.