We continue to hear dire warnings about the inherent security risks of the Internet of Things (IoT), and indeed IoT-related incidents are happening. With many companies beginning to capture IoT data from connected devices, a key question is are they doing enough to ensure that data and networks are secure?
If security executives thought they had a lot to handle with the growth of mobile devices and the expanding digital enterprise, the emergence of connected products, corporate assets, vehicles and other “things” is taking security coverage to a whole new level.
A December 2016 study by the Institute for Critical Infrastructure Technology (ICIT) — a cyber security think tank that acts as a conduit between private sector companies and U.S. federal agencies, points out how vulnerable enterprises are to attacks such as distributed denial of service (DDoS) via IoT.
Cyber criminals are expanding their control over vulnerable IoT devices, which can be used in DDoS-for-Hire services for an array of layered attack methods, the report says.
Meantime, IoT continues to take hold. A survey of nearly 1,000 enterprise IT buyers worldwide conducted by 451 Research from August to October 2016 shows that 71 percent of enterprises are gathering data for IoT initiatives today. Organizations expect to increase their IoT technology investments by 33 percent over next the 12 months, the study says. A huge majority (90 percent) will increase IoT spending over the next 12 months, and 40 percent will raise IoT-related investments by 25 percent to 50 percent compared with 2016.
However, security remains a concern, with half of the respondents citing it as the top impediment to IoT deployments.
“When it comes to IoT and security, I think it’s nearly impossible to overstate the need and the critical nature of security readiness,” says Laura DiDio, research director at 451 Research and lead author of the study.
“In IoT environments where devices, people and applications are interconnected, the attack surface or attack vector is potentially limitless,” DiDio says. “Threats are everywhere. This is a situation where organizations and their IT departments are well served by being a bit paranoid rather than being lax.”
Every IoT application, process and device is vulnerable, DiDio says. “Even the most stringent security mechanisms and measures can be undone by a single careless user who fails to follow the rules and implement security” on various devices, she says.
The largest security threats in IoT are those inherent in the need to interconnect devices, says Ed McNicholas, co-leader of the privacy, data security and information law practice at Sidley Austin LLP, who focuses on IoT as a part of his practice.
Sign up for CIO Asia eNewsletters.