According to a recent survey, only a minority of executives believes that the risks associated with IoT have the potential to become the most significant threats on their networks.
The study, conducted by Atomik Research on behalf of Tripwire, surveyed 404 IT professionals and 302 executives from retail, energy and financial services organizations in the U.S. and U.K. It examines the security impact of connecting Internet of Things (IoT) devices to enterprise networks..
Some of the most significant findings of the study include the following:
- Less than one in four IT professionals are confident in the secure configuration of common IoT devices that are already on enterprise networks, including VOIP phones (21 percent), sensors for physical security (20 percent), and smart controllers for lights and HVAC (16 percent).
- The 2014 Trustwave Global Security Report identifies retailers as the top industry target for cybercriminals, comprising 35 percent of the attacks studied. However, nearly half of retail IT professionals (46 percent) were “not concerned” about cybercriminals targeting IoT devices on their network.
- Only eight percent of energy IT professionals are concerned about cyber criminals attacking industrial controllers, but 88 percent are not confident in the secure configuration of industrial controllers.
Chris Conacher, Security Development Manager for Tripwire, believes this survey’s results indicate that most enterprises are not adequately prepared to address the risks associated with connecting IoT devices to their networks.
“The reason many enterprises are relatively ‘unconcerned’ about the security of IoT devices is because they misunderstand the risk. They may believe they have ‘solved’ the security problem when they have not. Alternatively, they may believe that there is no security problem when there is.”
This disregard for security permeates all aspects of the Internet of Things. As Mark Stanislav of Duo Security wrote in a recent article for Tripwire, the fact that many IoT devices are being crowd-funded means that the people responsible for developing these products likely have little security experience. This means that IoT devices are being developed insecurely, whereas in actuality, companies have a responsibility to make sure security features are in place at the beginning.
Craig Young, Security Researcher for Tripwire, notes just one way attackers could potentially exploit this misunderstanding of the security risks: “While consumer focused IoT devices present minimal direct risk to the enterprise, many of them connect back to a vendor’s infrastructure via the Internet to store user data. Successful attacks against these backend infrastructures would provide attackers with user credentials and other information that could enable them to gain a foothold into an employee’s home network.”
Acknowledging this, it is imperative that enterprises gain a better understanding of the risks at hand so that they can work to help standardize IoT security. Paul Simmonds, CEO at Global Identity Foundation, agrees with this sentiment:
“The survey highlights the need to be able to build security and identity into the Internet of Things in a standard way that IoT devices can be on-boarded into which every environment is required – home, business or national critical infrastructure. Otherwise, a plethora of cloud-based solutions unique to each manufacturer, suppler, or even device will lead to chaos and insecurity.”
You can also download the full whitepaper of the Atomik study here.