IoT Ecosystem > Enterprise IoT Blog



IoT security is the "The Invisible or Forgotten Man."

by User Not Found | Feb 12, 2016

Forget about being the 800 lb. Gorilla in the room. IoT security is the "The Invisible or Forgotten Man."

The overwhelming majority of businesses treat security as an afterthought. They decline to dedicate the necessary money, manpower and resources to safeguarding their data assets unless or until a catastrophic breach occurs. And sometimes not even then. This is despite, or perhaps because of, the nearly daily blitz of articles detailing the latest hack into multinational global corporations or supposedly secure government agencies. Many organizations take the "if it’s not broke don't fix it" approach. Or, they reason (incorrectly) that a successful security penetration resulting in lost, damaged or stolen data or, a breach that compromises the firm's Intellectual Property (IP) won't happen to them.

Wrong.

A 61% majority of the over 600 corporate respondents to Strategy Analytics IoT 2016 Security Threats and Trends Survey: Perilous, Porous and Pernicious acknowledged that their corporate networks experienced or may have been hacked in the last 12 months.  That left a 39% of survey respondents who said their organizations had not suffered a security breach.

That’s not the worst news, though. Four-out-of-10 corporate survey participants admitted that they were unable to determine the type of security breach; the duration or severity of the attack!

Four-out-of-10 corporate survey participants admitted that they were unable to determine the type of security breach; the duration or severity of the attack! If your firm doesn't know that its network, devices and applications have been compromised, it's in real trouble. A corporation that finds itself in this situation is operating blind. It doesn't know what's going on; it can't assess the damage being done to its own business and end users or that of its customers, business partners or suppliers.  Intellectual Property (IP) is potentially at risk or compromised and the threat of lost, stolen and damaged data is almost a certainty. There's also a heightened risk of litigation.

Ignorance is not bliss.

What you don’t know can and will hurt your business and in a worst case scenario put your business out of business.

In the Digital Age of the Internet of Things (IoT), mobility and BYOD the lines of demarcation between corporate and personal data have blurred to indistinction. Threats are everywhere.

People, devices and applications are increasingly interconnected across ecosystems. The attack vector rises commensurately and is potentially limitless. Ergo, the chances of getting hacked and the amount of damage a security breach can inflict, is also much greater. A word here about BYOD and mobility: SA's survey data also indicates that two-thirds of businesses do not require corporate workers  to inform them when their employee- or corporate-liable devices have been compromised and only about 30% of organizations currently have security policies in place regarding usage.

A 56% majority of corporate enterprises rank careless end users constitute a bigger threat to corporate IoT security than the combined danger of an edge/perimeter attack and internal security breach by company insiders.

The Internet of Things offers greater opportunities but in interconnected environments, the security risks increase exponentially and the attack vector or surface is in theory, potentially limitless. The survey responses indicate that corporations are confronting an IoT security threat landscape for which they may be woefully ill-prepared. 

Overall, the survey shows that although organizations recognize the growing security threat, they are not responding according. The survey results found that companies are not dedicating adequate budget, manpower or resources to defend their corporate, IoT and cloud networks. 

Among the other top survey findings:

  • Majority of Companies Spend Little Time on Security. A 70% majority of survey respondents spend 0% to 20% of their time on securing their corporate and IoT networks (See Figure 1).  The survey data indicated that only a 7% minority of company IT departments devote over 50% of their time to security!  Among the companies that allocate a majority of their time to safeguarding the corporate data assets, over two-thirds of those organizations are in Banking/Finance, Government, Defense and Aerospace vertical market segments, according to SA’s survey responses.
  • IT Security Spending Varies Widely. The amount of money corporations spend on securing their corporate and IT Security spending varied widely. Tellingly, the largest segment of participants – 40% - was unsure how much their companies spent annually safeguarding the corporate data assets.  A 19% minority spend $1 to $20 million annually on security while 11% spend less than $100,000 and 20% reported they do not have a separate IT security budget. The remaining 13% of respondents spend between $101,000 and $999,999 annually on security hardware, software and services.
  • End Users Constitute Biggest Threat to IoT Security. To reiterate, a 56% majority of respondents said the biggest security threat to their IoT networks was “end user carelessness” followed by 42% who cited “malware”; 32% who said “spyware” and 25% who said Mobile and BYOD devices.
  • More Companies Experience Hacks. One-third – 31% of participants said their firms had experienced a hack within the last 12 months vs. 39% that said “No.” However, 25% of participants said they were “Unsure” if their companies had been hacked and the remaining 5% said “they had no way of knowing!”
  • Risky Business: 44% of Firms that experienced a security hack were unable to determine the source of the hack, the type of hack or the duration or severity of the hack which puts the business at elevated and extreme risk for a repeat attack. This means that hackers can potentially invade the network and steal, change, hijack valuable data and Intellectual Property without the company’s knowledge and also use the corporate IoT network as an entry point/gateway to other connected partner ecosystems.
  • Denial of Service Attacks Proliferate. DoS attacks at the network, physical and application layers and end user carelessness & failure to turn on security are the most likely causes of successful security hacks. However, in a worrisome trend, nearly four-in-10 businesses – 38% - of survey participants acknowledged they were unable to determine what type of hack their firm had experienced. This means the company also lacked other vital information and it’s likely their data assets, Intellectual Property (IP) and data privacy could have been compromised or stolen without their knowledge. Consequently this places the business, its ends users, customers, business partners and suppliers at increased risk of vulnerability and leaves it open to further security breaches.
  • Few Firms Successfully Detect, Repel Security Attacks. Only six (6%) percent of businesses said they were able to detect and thwart breaches in advance of a successful penetration that disrupted the network or resulted in damage or lost data.

Conclusions

Organizations of all sizes and across all vertical markets need to step up their security initiatives. 

IoT is a disruptive technology.  It is complex and challenging. Although many aspects and components of IoT are in use today, IoT security and data privacy will demand that vendors, OEMs and corporate end users step up their game with respect to security and data privacy.

Once again, in a world where devices, applications and people are increasingly interconnected, the attack surface is potentially limitless. Organized hackers have become more proficient and the hacks more pervasive and pernicious.  Corporations must be proactive and not reactive with respect to security. You are responsible for the defense of your data and Intellectual Property.

Ask yourself: how much risk can you tolerate? How much loss can you sustain?  What have you got to lose?

For more information about the Strategy Analytics IoT 2016 Security Threats and Trends Survey contact me at: ldidio@strategyanalytics.com

Previous Post: Smart Cities are evolving, with ICT revenues expected to reach $977 Billion by 2022 | Next Post: IBM z13s Delivers Rock Solid Security, Fault Tolerant Reliability for IoT, Hybrid Clouds
Leave a comment