Conversations surrounding IoT cybersecurity often verge on the hyperbolic, playing up outlandish-sounding scenarios involving hacked cars and airplanes, pacemakers and the power grid. But a spate of recent news, including a cyberattack targeting the city of Atlanta and Russian meddling with the U.S. power grid gives credence to threat. As does a recent survey from the Ponemon Institute and Shared Assessments, which indicates a certain amount of paranoia regarding unsecured IoT deployments is well-founded. Perhaps most telling is the fact that 97 percent of the 605 security and corporate governance professionals agreed a data breach or cyberattack related to IoT devices could be catastrophic.
Meanwhile, the average number of IoT devices within a given organization is steadily ticking up, hitting 15,874, according to the survey. But less than half of those organizations — 44 percent — keeps an inventory of those devices, leaving them ill-equipped to detect suspicious IoT-based malware or network activity. “If you don’t know what is connected to your network, how are you going to monitor if anything bad is going on?” asked Charlie Miller, senior vice president of The Santa Fe Group and Shared Assessments who was involved in the research.
The research also indicated that the most common way to manage IoT-related third-party risks was with contract clauses and policies. “It is good to have those in place, but we don’t really see a lot of focus on monitoring those clauses or policies in operational situations,” Miller said. ‘Many times, those documents just sit on the shelf.”
On the bright side, the survey, “Second Annual Study on The Internet of Things (IoT): A New Era of Third-Party Risk,” did measure a perceptible increase in awareness of the threat posed by IoT cybersecurity in general over last year as well as increased understanding how IoT deployments can drive third-party risk. But many organizations could improve when it comes to devising specific measures to address such concerns. “We have a hard enough time fixing issues we identify with IT devices or applications,” Miller said. “When you have an IoT device that may not be able to be updated with any kind of security features, that is even more problematic.”
Still, dedicated IoT security spending is ticking upwards. Gartner recently concluded that global IoT security investment will hit $1.5 billion this year — a 28 percent rise over last year.
On the other hand, IoT-based attacks have yet to affect the majority of the organizations involved in the survey, but they have increased substantially in the past year. In 2017, 15 percent of the professionals surveyed reported a data breach, while 16 percent said they had been hit with a cyberattack. This year, the figures for both reached 21 percent.
While risk and security professionals are more acutely aware of the risk, a substantial number of business leaders are not. “There is still a disconnect between the professionals who are identifying this stuff and getting the right word up to the board to take action upon it,” Miller said.
The steadily increasing number of IoT devices used in enterprise as well as consumer settings will likely open up wholly new types of cyberattacks, Miller said. “In a recent steering committee meeting, someone joked: ‘This will become a problem when your Alexa tells your refrigerator to order food based on your last order. Then, your refrigerator communicates to your PayPal, Venmo or Zelle account and the payment is made without you even knowing it,’” Miller recounted. “You have exposure across all of those devices.”