Vendors, users ignoring IoT security in rush to market – report

Vendors, users ignoring IoT security in rush to market – report

Report warns of lax security among IoT users, and blames manufacturers for coding decade-old flaws into IoT devices.

A new report has found that there is a serious disparity between how far organisations are adopting IoT, and their readiness for it from a cybersecurity standpoint.

More, it blames inexperienced manufacturers for opening the door to long-forgotten security problems.

Though most organisations plan to increase their adoption of IoT technologies, only 28 percent consider IoT-specific security strategies to be “very important”, according to the IoT Cybersecurity Readiness Report, published by Trustwave.

A further one-third of organisations consider IoT security strategies to be “somewhat” important or not important at all, says the security company.

Osterman Research ran the survey for Trustwave among midsize and large organisations. The report comes in the wake of a number of others that have warned of the dangers of IoT systems increasing the security threat via insecure devices, or by enlarging the attack surface.

Read more: IoT ramps up cyber security risk, says in-depth report

The report offers hard evidence of the IoT’s expansion, too. Trustwave found that 64 percent of the organisations surveyed have deployed some level of IoT technology, while a further 20 percent plan to do so within the next 12 months.

Ironically, 57 percent cite security concerns as the number one barrier to greater IoT adoption, followed by “not relevant to operations” at 38 per cent, and “lack of budget” at 27 per cent.

IoT security incidents

Some of the report’s other findings call into question organisations’ lax security response to the IoT challenge. Trustwave found that 61 per cent of the respondents that have already deployed IoT technology have experienced a security incident directly related to it.

For example, 24 percent of respondents reported malware infiltration via the IoT, and 18 percent cited successful phishing and/or social engineering attacks. Overall, most believe that they will experience an IoT security problem in the future, with 55 per cent believing it will happen over the next two years.

“Any device or sensor with an IP address connected to a corporate network may open the doors to a devastating security incident,” said Lawrence Munro, VP of SpiderLabs at Trustwave.

Munro laid the blame at device manufacturers’ door: “As IoT adoption continues to proliferate, manufacturers of IoT are sidestepping security fundamentals as they rush products to market,” he said.

We are seeing lack of familiarity with secure coding concepts resulting in vulnerabilities – some of them a decade old – incorporated into final designs.

“Because updating IoT devices by nature is more challenging, many remain vulnerable even after patches have been issued, and often patches are not even developed.

“Organisations need to properly document and test each internet-connected device on their network, or face introducing potentially thousands of new attack vectors easily exploitable by cybercriminals,” he added.

Internet of Business says

The fact that so few organisations appear to attach much importance to IoT-specific security policies and technologies is alarming – not least because enterprise vendors have been warning of the dangers for years. It stands to reason that the attack surface of the IoT is large and ever expanding, opening the network up not just to attacks that are targeted at individual organisations, but also at types of device across the entire IoT.

All security policies should embrace the IoT, especially when incoming regulations, such as GDPR, will impose serious financial penalties for data breaches. The fact that some may occur via the IoT will be no excuse.

Read more: Infrastructure security: Five vital steps to NIS compliance

Read more: Prevent malicious use of AI, say Oxford, Cambridge, Yale