Current IoT devices are not designed or deployed with adequate security, according to an expert pointing to a recent user survey.
Almost universally, IoT devices have not been built with security in mind. Indeed, the vast majority of these devices do not use any encryption and can be easily compromised by a teenager in seconds.
To help quantify the risk and the level of corporate preparedness, the third annual study on third-party IoT risk, “Companies Don’t Know What They Don’t Know,” was published in May 2019 by Shared Assessments and the Ponemon Institute, two industry leaders in risk assessments. Survey responses were gathered from 625 leading corporate governance and risk executives.
Some of the disturbing results from the survey are:
- 26% reported experiencing a data breach caused by unsecured IoT devices
- 84% say it is very likely their company will have a data breach caused by an IoT device
- 87% believe an IoT-launched attack, such as a distributed denial of service, is very likely to occur in the next two years
- 27% say their boards of directors require assurances that IoT risk is being assessed, managed and monitored
- 11% say their organizations currently educate employees about the risks created by IoT devices in the workplace
This suggests a perfect storm of insecure devices being deployed haphazardly in unprepared companies. With such dour survey results, where does the industry go from here?
Change will not come from IoT device manufacturers. They won’t waste money investing in securing their devices if no one is asking for it.
Instead, the change will be initiated by enterprise customers who rely on these IoT-enabled machines or devices to get their business done. Recent security breaches and IoT surveys, such as the Shared Assessments IoT survey, are a wake-up call.
Enterprise companies are now beginning to roll out IoT policies, controls and security awareness campaigns for the first time. Board members are beginning to wake up to the risk of IoT. IoT devices are now beginning to be subjected to security reviews, and those IoT devices that can’t meet the new security corporate requirements are being dropped.
The ball is being bounced firmly back in the IoT manufacturers’ court to begin integrating industry security standards into IoT devices, as well as building the functionality to allow enterprise customers to safely manage the legion of diverse IoT devices from central IoT platforms. Now is the time for IoT manufacturers to act. Otherwise, enterprise customers will wisely take their business elsewhere.
– Niall Browne is on the Shared Assessments Steering Committee, and is senior vice president of trust and security, CISO at Domo., Inc.