The penetration of “non-commercial” IoT devices in commercial networks is increasing. Devices such as smart light bulbs, heart monitors, fitness equipment, coffee machines, game consoles, and connected pet feeders may not meet the levels depicted in organizational threat models, but this has become a problem because consumer IoT devices have few or no security controls. Poor IoT device security stems from manufacturers’ low-price strategies, where security is considered an unnecessary expense. Limited visibility, coupled with increasing remote work, has led to serious cybersecurity incidents.
Palo Alto's IoT security report, "Connected Enterprise: IoT Security Report 2021," provides insights into the adoption of non-industrial IoT devices and their penetration into business networks. Palo Alto Networks commissioned technology research firm Vanson Bourne to survey "1,900 IT decision-makers in organizations across 18 countries in Asia, Europe, the Middle East, and the Americas about their key IoT security concerns."
The main findings of the Palo Alto report are:
▲The COVID-19 pandemic and its impact have made it more difficult to keep IoT devices secure.
▲Almost all respondents who connected IoT devices to the network (96%) said their IoT security approaches needed improvement. A quarter (25%) said their IoT security strategies needed a complete overhaul.
▲ About half (51%) of the respondents connected their IoT devices to their own networks, saying that the IoT devices were on a separate network, different from the networks they used for their main business devices and applications.
▲Technology executives may be losing sleep. Security cameras are a prime example of vulnerabilities. A Palo Alto Networks study in March 2021 examined 135,000 security cameras and found that 54% of them had at least one security vulnerability. This makes the cameras potentially vulnerable to hijacking and weaponization, allowing them to be used as springboards to launch attacks and gain access to the wider corporate network.
The report lists the types of attacks encountered:
▲Industrial Internet of Things (IIoT) attacks: 55%
▲Distributed Denial of Service (DDoS) 50%
▲46% of attacks were carried out using connected cameras.
▲Medical Internet of Things (IoMT) attacks: 42%
▲37% of home network devices were attacked.
▲32% of attacks are on connected wearable devices
Forrester Consulting prepared a separate report for Armis, "The State of Enterprise IoT Security in North America: Out of Control and Insecure." The Forrester Consulting report concluded that:
▲69% of enterprises have more IoT devices than computers on their networks.
▲84% of security professionals believe that IoT devices are more vulnerable to attack than computers.
▲67% of enterprises have experienced IoT security incidents.
▲16% of enterprise security managers said they have sufficient visibility into IoT devices in their environment.
▲93% of companies plan to increase security spending on IoT devices.
The Palo Alto report recommends:
▲Change the default encryption.
▲ Ensure you know which devices are connected and monitor unauthorized devices.
▲Segmented WFH network.
▲ Implement two-factor authentication.
▲ Ensure that security updates are deployed immediately.
The importance of implementing security solutions, practices, and controls to identify and protect IoT devices cannot be underestimated. The insights provided in these two reports can be used to address inadequate and insufficient security controls on these devices, which can expose businesses and their customers to higher risks of data loss, physical damage, and revenue loss. Organizations should adopt a proactive cybersecurity posture, as businesses are more vulnerable to cyberattacks when security protections are not deployed.
