Last month, our 2017 Consumer Insights in IoT report revealed that despite feeling concerned about the security of IoT and the threat of cyberattacks on connected devices, half of consumers admit that they rarely or never change their passwords of their IoT devices. That problem becomes much larger in an enterprise setting, begging the question, who is in charge when it comes to securing IoT?
Right now, the answer for many companies is unsure. In a study done by the Ponemon Institute, IBM, and Arxan, 2017 Study on Mobile and Internet of Things Application Security, companies admit that they have no plan to handle the influx of connected devices within their enterprise, with 44% of organizations stating they are taking no protective measures and 11% reporting uncertainty about whether they are doing so or not.
Such is the case with emerging technology, and it only stands to become more confusing with tens of billions of devices set to be connected by 2020.
Back in the day, technology devices were strictly under IT purview and while that made sense when it was solely computers connected to the internet, now it’s our vending machines, card readers, cameras, televisions, security systems, hair brushes (yes, that is not a typo), etc. Times are changing. These new connected devices are often overlooked because they fall outside of the traditional IT purview, which inevitably means exposure to cyber threats. We’ve already seen the consequences in the increase of attacks year over year. AT&T, in their IoT Evolution: Security Trails Deployment report, found a 458% increase in vulnerability scans of IoT devices in the last two years.
The responsibility of IoT devices now sits in flux between IT and business leadership, but trending towards IoT as a business practice. In fact, only 5 percent of respondents in the Ponemon survey said they believe the Chief Information Security Officer (CISO) to have primary responsibility for IoT security anymore. The majority instead pointed to the business officers and operations professionals. One thing is for sure, what was once cut and dry, is no longer.
IoT is now considered by many to be a transformative business operation rather than an IT or technology purchase.
Vodafone’s 2016 IoT Barometer Report found that 48 percent of IoT adopters are using the technology to support large-scale business transformation. Technology has merged with operations and while this means exciting innovation and collaboration, businesses do not want to let the security ball drop in the midst of the confusion. During the year 2016, Symantec saw an average of more than 4,000 ransomware attacks per day, a 300 percent increase over 2015, according to their 2016 Internet Security Threat Report.
And thus far, we can’t rely on vendors to juggle the ball for us. Poor security practices, such as including weak default passwords in hardware – that can never be updated – create opportunities for cyber-criminals that will only be exacerbated with the proliferation of IoT. According to CSO Online, cybercrime damages will cost the world $6 trillion annually by 2021, up $3 trillion from just last year.
Unfortunately, the security of IoT has become an afterthought and it is up to those at the top to look backwards to develop courses of action when it comes it protecting devices from hacks and threats.
To ensure the blame game doesn’t continue, companies must ensure open communication between IT and business leadership in order to understand and defend against potential threats, and to identify the challenges within their enterprise regarding cybersecurity. Often companies have no idea about the total number of devices they have within their organization, so taking stock and inventory, finding every connected device under their watch, and increasing visibility would be a good place to start.