Although most organizations surveyed plan to increase adoption of Internet of Things (IoT) into operations, only 28% consider security strategies specific to IoT as “very important” according to information security company Trustwave.
And this is despite high profile IoT security attacks in recent times, such as 2017’s so called ‘Petya’ cyberattack last month hit Danish shipping giant A.P. Moller-Maersk and German railway operator Deutsche Bahn (which was also a victim of May’s ‘WannaCry’ ransomware hack), causing significant disruption and delays. In fact, a report by app threat intelligence company F5 Labs, found that compared to the previous six months, IoT attacks grew 280% in the first half of 2017.
Trustwave’s “IoT Cybersecurity Readiness Report” surveyed individuals with applied security experience from primarily midsize and large organizations. Key findings from the report include:
IoT use is growing rapidly
64% of organizations surveyed have deployed some level of IoT technology, and another 20% plan to do so within the next 12 months. The result will be that by the end of 2018, only one in six organizations will not be using at least a minimal level of IoT technology for business purposes.
Security concerns cited as top barrier to increased IoT adoption
Although greater than half surveyed plan on increasing use of IoT technologies, 42% are either unsure or have no plans to increase use. 57% cite security concerns as the number one barrier to greater IoT adoption, followed by “not relevant to operations” at 38% and “lack of budget” at 27%.
Disparity between IoT use and security
Only 28% of organizations surveyed consider that their IoT security strategy is “very important” when compared to other cybersecurity priorities within the organization. More surprising, however, is that greater than one-third believe that IoT security is only “somewhat” or “not” important.
Most have already experienced an IoT-related security incident
61% of those surveyed who have deployed some level of IoT technology have had to deal with a security incident related to IoT. While most of the reported incidents involved actual attacks – e.g., malware infiltration (24% of the organizations surveyed) and successful phishing and/or social engineering attacks (18%), some were merely attempted attacks, such as misconfiguration attacks (11%).
Additionally, organizations can be attacked by IoT devices from outside sources even though they have no IoT devices deployed internally. Overall, most believe they will experience an IoT security problem in the future, with 55% believing it will happen during the next two years.
Lack of patching policies and procedures
Only 49% of organizations surveyed have formal patching policies and procedures in place, and only about one-third patch their IoT devices within 24 hours after a fix becomes available.
Insufficient risk assessment for third-party partners and testing of IoT vendors
Fewer than one-half of organizations consistently assess the IoT security risk posed by third-party partners, another 34% do so only periodically, and 19% don’t perform third-party IoT risk assessment at all. In addition, only 70% of organizations perform their own security testing or piloting of these devices, only 54% use published reviews, and only 32% use third-party testing services. Many (47%) rely on vendors’ security claims.
Confidence in IoT security is not high
Only 10% of those surveyed are “very” confident that they can detect and protect against IoT-related security incidents, while 62% are only “somewhat” or “not” confident that they can do so. The combination of a low emphasis placed on IoT security, the sizeable proportion of organizations in which security incidents have already occurred and the perception that future security incidents are a virtual certainty leaves decision makers with little confidence that they can defend against IoT-related security incidents.
What the experts say
“Any device or sensor with an IP address connected to a corporate network may open the doors to a devastating security incident,” said Lawrence Munro, Vice President of SpiderLabs, Trustwave.
“As IoT adoption continues to proliferate, manufactures of IoT are sidestepping security fundamentals as they rush to bring products to market. We are seeing lack of familiarity with secure coding concepts resulting in vulnerabilities, some of them a decade old, incorporated into final designs.
“Because updating IoT devices by nature is more challenging, many remain vulnerable even after patches are issued, and often patches are not even developed. Organizations need to properly document and test each internet-connected device on their network or face introducing potentially thousands of new attack vectors easily exploitable by cybercriminals.”
“Interestingly, the security of IoT was identified as the leading barrier to greater adoption,” noted Michael Osterman, Principal Analyst, Osterman Research (the company that conducted the survey on behalf of Trustwave).
“There have been numerous IoT-related security problems in the recent past and the problems will only get worse until decision makers make security the key issue in their selection and deployment of IoT-related devices.”