The Internet of Things (IoT) is challenging enterprises as IT teams struggle to secure the influx of newly connected devices.
In a survey conducted by Atomik Research, 404 IT professionals and 302 CIOs, CISOs and other director-level IT management personnel working in the finance, energy and retail sectors were asked how confident they are in the security of those IoT devices already connected to their corporate networks, as well as in their ability to mitigate associated risks.
Tripwire also surveyed 603 employed individuals who work remotely in critical infrastructure industries. Their responses reveal a number of important findings with respect to IoT security threats:
The Internet of Things and Cross-Contamination
One such revelation is the fact that employed consumers who work from home have an average of 11 IoT devices on their home networks. These devices include smartphones, video media and printers, all of which can and already have been hacked in known exploits.
What makes this a problem is BYOD. In the survey, 25-50 percent of remote workers and IT personnel report that they have at least one IoT device connected to corporate networks. Also, three-quarters of both groups admit to accessing corporate documents from their home networks.
IoT devices therefore increase the risks of “cross-contamination,” or the transferal of malware from dubiously protected home networks to enterprises.
“It’s far more likely that employees will be infected with malware outside the enterprise,” said Craig Young, Tripwire security researcher.
A number of attack vectors make cross-contamination possible. One of the most well known is USB. As many devices can plug into USB ports for charging, including chargers for e-cigarettes, it would be feasible for IoT malware to exploit known vulnerabilities in USB.
Business Productivity Rules Out Over Security
Another key finding from Tripwire’s survey is that while 63 percent of C-level executives expect business efficiencies and productivity to force them to adopt IoT devices regardless of the security risks, only 27 percent of them are “very concerned” about the risks.
Chris Conacher, Security Development Manager at Tripwire, is not surprised by this discovery. “Executives view security risk in the context of all business risk and in comparison to some other types of risk, security may seem relatively low.”
The same cannot be said for information security professionals. Tripwire’s survey found that a majority (59 percent) of IT personnel who work in medium- and large-sized businesses are concerned that IoT could become “the most significant security risk on their network.”
This is likely due to the fact that only 30 percent of IT professionals believe their company has the technology necessary to adequately evaluate the security of IoT devices, with at least a fifth of respondents stating that they have “no visibility” into current protection levels.
Also, as noted in a recent blog post by Mark Stanislav, Security Project Manager for Duo Security, IoT devices, many of which are crowd-funded by people with little knowledge of security, will require constant updates, thereby further straining IT teams’ time and resources.
Understand Your Network’s IoT Risks
To help IT professionals better understand the risks associated with IoT, Tripwire has produced a short video that discusses common attack vectors, such as smart hub exploits and “war driving:”
Finally, in response to the risks posed by the Internet of Things, many information security professionals are already beginning to conceive of ways we can protect IoT devices while safeguarding our networks. Some strategic recommendations by leading security experts can be found in our previous blog post here.
- 3 Internet of Things Security Nuances You May Not Have Considered
- The Internet of Things: Hack My Nannycam
- How to (Begin) Harnessing the Internet of Things
- Vulnerability Coordination for the Internet of… Everything
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the ShellShock and Heartbleed vulnerabilities.
The Executive’s Guide to the Top 20 Critical Security Controls Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Images courtesy of ShutterStock.