by Simon Edwards
IoT security is new frontline in the battle against enterprise cyber-threats. As more smart endpoints are connected to corporate networks, the potential for mass data theft, service outages, sabotage and more will only increase. Yet new Trend Micro research reveals that only half (53%) of IT and security decision makers regard IoT as a security risk. This is a major miscalculation that could cost their organisations dear in the long run.
You need to start planning now for ways to mitigate the new risks presented by IoT technologies. Our annual CLOUDSEC show in September will also provide some much-needed best practice advice in this area.
A growing risk
We polled 1,150 IT and security leaders in the US, UK, Japan Germany and France to find out more. Despite the lack of engagement on IoT as a security threat, these organisations suffered on average three attacks on connected devices last year, they told us. IoT endpoints are everywhere in the modern organisation, from smartphones to connected fire alarms and AC systems, CCTV cameras, smart kettles and fridges and IoT-powered factory systems. That means a potentially huge new attack surface. Many of these devices may not be officially sanctioned or secured by IT, further increasing the risk to the enterprise.
IoT endpoints are particularly risky because they are:
- Often not patched quickly by manufacturers
- Often hard to update
- Not built with security in mind. Ie they may rely on factory default credentials
- Always on and connected to the corporate network
- Capable of operating critical processes
- Lacking encryption in their communications
What we found
Unfortunately, IT and security bosses don’t quite see it that way. A worrying 43% of those we polled claimed that IoT security is an afterthought, rising to 46% in Germany. This is despite two-thirds (63%) agreeing that IoT-related cybersecurity threats have increased over the past 12 months. Just 38% claim to enlist the help of security decision-maker when implementing an IoT solution — which runs counter to best practice “data protection by design and default” rules mandated by the GDPR.
The bottom line is that IoT threats are no longer theoretical. From ransomware and crypto-miners to info-stealing attacks and Mirai-based botnet threats, attacks on smart systems are already well established. We’ve also detailed in the past how physical systems and even industrial robots could come under attack, representing a danger to the safety and well being of employees.
Improving IoT security
So what can organisations do to mitigate the growing range of IoT threats? Here are a few tips:
- Draw up a detailed IoT security policy
- Vet all new devices and don’t allow unapproved endpoints to connect to the corporate network
- Change default log-ins to strong, unique credentials
- Ensure device firmware is kept up-to-date via automated patch management
- Encrypt data stored on any connected devices
- Educate employees about IoT risks
- Implement network segmentation to reduce the risk of threats spreading
- Consider continuous network monitoring to spot threats early on
- Tighten access controls according to principle of least privilege
- Include IT security experts from the start in IoT implementation projects
To find out more on IoT threats and ways to secure your organisation, register now for CLOUDSEC 18. You’ll be able to network with peers and hear from senior Trend Micro experts alongside leading figures from academia, law enforcement, and industry.
What: CLOUDSEC 2018
When: Tuesday 4 September
Where: Park Plaza Westminster Bridge, London