• Gartner forecasts worldwide IoT security spending at $1.5bn this year
• Lack of prioritisation and implementation hampering IoT security spending
• Standards for IoT security components are only now starting to be addressed
• By 2021, regulatory compliance will be the prime influencer

Nearly 20 per cent of organisations have experienced at least one IoT-based attack in the past three years. Are we surprised? Probably not, but the more important questions are how many of those attacks did damage and what is the industry going to do to make sure future attacks (the number of which will only increase) prove ineffective?

According to Gartner, who also supplied the above statistic, to protect against these threats worldwide spending on IoT security will end up costing $1.5 billion by the end of this year – a 28 per cent increase from 2017’s spending of $1.2 billion. And it will continue to grow: spending on IoT security is expected to reach $3.1 billion in 2021, just three years away.

“In IoT initiatives, organisations often don't have control over the source and nature of the software and hardware being utilised by smart connected devices," said Ruggero Contu, research director at Gartner. "We expect to see demand for tools and services aimed at improving discovery and asset management, software and hardware security assessment, and penetration testing. In addition, organisations will look to increase their understanding of the implications of externalising network connectivity.”

Despite a steady year-on-year growth in worldwide spending, Gartner predicts that through 2020, the biggest inhibitor to growth for IoT security will come from a lack of prioritisation and implementation of security best practices and tools. This will have the effect of hampering the potential spend on IoT security by as much as 80 per cent. While basic security patterns have been revealed in many vertical projects, they have not yet been codified into policy or design templates to allow for consistent reuse. As a result, technical standards for specific IoT security components in the industry are only now just starting to be addressed across established IT security standards bodies, consortium organizations and vendor alliances.

"Most IoT security implementations have been planned, deployed and operated at the business-unit level, in cooperation with some IT departments to ensure the IT portions affected by the devices are sufficiently addressed," added Contu. "However, coordination via common architecture or a consistent security strategy is all but absent, and vendor product and service selection remains largely ad hoc, based upon the device provider's alliances with partners or the core system that the devices are enhancing or replacing."

Gartner says the absence of "security by design" comes from a lack of specific and stringent regulations. Going forward, the research group expects this trend to change, especially in heavily regulated industries such as healthcare and automotive. By 2021, it predicts that regulatory compliance will become the prime influencer for IoT security uptake. Industries having to comply with regulations and guidelines aimed at improving critical infrastructure protection (CIP) are being obliged to increase their focus on security as a result of the increasing use of IoT in the industrial sector.

"Interest is growing in improving automation in operational processes through the deployment of intelligent connected devices, such as sensors, robots and remote connectivity, often through cloud-based services," said Contu. "This innovation, often described as Industrial Internet of Things (IIoT) or Industry 4.0, is already impacting security in industry sectors deploying operational technology, such as energy, oil and gas, transportation, and manufacturing."