Cyber attacks, security incidents and breaches initiated through insecure Internet of Things (IoT) devices are on the uptick and most enterprises aren't yet on track to do anything about it, according to several high-profile studies over the last month.
Most recently, Ponemon Institute found that even though IoT devices in the enterprise are expected to increase in proliferation by at least 56% over the next year, most large organizations don't have any way to thoroughly inventory these devices, let alone have the controls to secure them. The study showed that only 15% of organizations keep track of most of their IoT devices and applications, whether introduced internally or by trusted third party. Fewer than half of organizations even believe it is possible to keep a full inventory of IoT devices. Among these optimists, just 19% say they have a list of at least half of the IoT devices connected to their environments. The primary challenge keeping them from tracking these devices is a lack of centralized control, which 88% of organizations say is a problem.
Meanwhile, just over one in five organizations report they've experienced a data breach or cyber attack caused by unsecured IoT devices or applications in the past year.
"The rapid adoption of IoT devices and applications is not slowing down and organizations need to have a clear understanding of the risks these devices pose both inside their own and outside their extended networks," says Charlie Miller, senior vice president for the Shared Assessments Program, which sponsored the Ponemon report. "It's critical that organizations assign accountability and ownership of IoT-related oversight across their organization, ensure that IoT security is taken seriously and educate management at all levels."
The good news is that awareness of the IoT security deficiency is at least growing in awareness across all IT stakeholders, not just among CISOs. According to a survey released by 451 Research in Feburary, 55% of IT decision makers rank IoT as their top priority when deploying IoT in the enterprise--a number that's on the rise since the analyst firm started taking the pulse for IoT priorities two years ago.
The trouble is that there's still a big gap to bridge between awareness of the problem and actually executing the types of security controls that can solve it.
“The nature of IoT deployments make them particularly difficult to secure against cyber threats,” says Brian Partridge, research vice president for IoT at 451 Research. “As industrial equipment is increasingly connected to the Internet for data collection and analysis, enterprises open themselves to the sophisticated world of security intrusions. IoT projects often straddle OT/IT domains, which have struggled independently to secure against internal and external threats. When these domains come together driven by IoT, the overall attack surface can increase exponentially.”
According to Gartner analyst Ruggero Contu, one of the biggest problems keeping organizations from achieving acceptable levels of IoT security is a lack of centralized 'security by design' as many IoT initiatives are still deployed and operated at the business level without looping in security departments.
"Coordination via common architecture or a consistent security strategy is all but absent, and vendor product and service selection remains largely ad hoc, based upon the device provider's alliances with partners or the core system that the devices are enhancing or replacing," he says
Fortunately, large organizations are turning on the financial faucets for IoT security initiatives in the face of growing anxiety about regulatory compliance concerns that will arise around IoT in the coming years. According to another report out in March from Gartner, by 2021 the overall IoT security market will break $3.1 billion, with approximately a third of that going toward endpoint and gateway security with the other 2/3 of the spending funneled to professional services.
"In IoT initiatives, organizations often don't have control over the source and nature of the software and hardware being utilized by smart connected devices," Contu says. "We expect to see demand for tools and services aimed at improving discovery and asset management, software and hardware security assessment, and penetration testing. In addition, organizations will look to increase their understanding of the implications of externalizing network connectivity.