Report: IT stakeholders doing little to address IoT cyberattacks

Businesses across the globe are expected to activate more than 4 billion new connected enterprise assets this year, further expanding the internet of things, a network currently encompassing roughly 8.3 billion devices, according to analysts at Gartner. These IoT implementation efforts will cost more than $772 billion, the International Data Corporation projected.

Most organizations are, of course, happy to allocate such significant amounts to mobile connectivity projects as on-the-go workflows have quickly become standard across virtually all industries. However, it appears that the information technology stakeholders responsible for protecting enterprise IoT setups are not prepared for such work, especially where it concerns mitigating third-party risk, according to a recent survey from the Ponemon Institute and the Shared Assessments Program.

The firms connected with more than 600 professionals responsible for technology governance program development and asked them to assess their IoT-centered data security capabilities. Approximately 38 percent of respondents said their respective enterprises lacked third-party risk management stakeholders. This suggests that organizations are diving head first into expansive IoT initiatives without configuring workflows for evaluating external IT partners to assess and mitigate risk, an essential aspect of proper enterprise IoT management. 

"The rapid adoption of IoT devices and applications is not slowing down and organizations need to have a clear understanding of the risks these devices pose both inside their own and outside their extended networks," Charlie Miller, senior vice president for the SAP, explained in an interview with ZDNet.

Understanding IoT risks
IoT technology can catalyze transformation across organizations of all sizes. However, such connected assets also create risk, as each device becomes a potential back door for cybercriminals looking to gain access to company servers. Device loss has, historically, ranked among the top IoT data security threats – and for good reason. More than 40 percent of the data breaches that unfolded between 2005 and 2015 were traced to misplaced or stolen devices, according to analysts at Trend Micro. This data indicates a high level of institutional negligence, something even the most advanced data security hardware and software will never be able to address.

"Approximately 38% of respondents said their respective enterprises lacked third-party risk management stakeholders."

In addition to siphoning sensitive information from lost or stolen devices, hackers regularly tap into IoT networks and weaponize the devices within them. Most incorporate connected assets into massive IoT botnets used for distributed denial of service attacks. The Mirai botnet is the most well-known example. In 2016, three college students crafted Mirai by infecting more than 300,000 mobile devices with malware that transformed them into zombified assets ideal for use in DDoS attacks, Wired reported. What began as a tool for disrupting servers for the popular videogame "Minecraft" quickly transformed into a dominant DDoS force capable of disrupting the entire internet, something the creators of Mirai accomplished by shutting down the DNS service provider Dyn in October 2016.

While law enforcement eventually apprehended the individuals responsible for designing and deploying Mirai, hackers began making copies in an attempt to replicate its success. None of the imitators have come close. However, the race to develop the next Mirai did result in a 91 percent increased in DDoS activity during 2017, according to research from Corero Network Security.

Unfortunately, the IoT data security situation will likely worsen over the foreseeable future due to the sheer volume of new connected devices gaining service. In fact, more than 60 percent of enterprise IT professionals believe mobile threats will increase in number and severity throughout 2018 and beyond, according to research from Verizon Wireless. With this in mind, businesses have no choice but to invest in extensive IoT security solutions and workflows – especially those centered on third-party collaboration, governance and risk management.

Addressing risk in the IoT era
However, it seems organizations are ill-prepared to address the risks that come along with connected enterprise assets, according to the Ponemon Institute and SAP survey. On top of revealing that modern businesses are failing to appoint stakeholders responsible for addressing hazards associated with third-party IoT hardware and software, the report showed such risk management activities are severely underfunded. A mere 30 percent of respondents said their enterprises sufficiently funded internal initiatives centered reducing risks created by third-party IoT solutions. Sadly, participants were all to aware of the unfortunate events that could unfold due to the lack of risk management. More than 80 percent said their firms were likely to experience data breached directly related to insecure IoT fixtures over the next 24 months. The survey respondents are wise to actively nurse these fears as almost half of all firms using IoT technology have suffered data breaches due, in part, to hasty implementation efforts and faulty risk management strategies, according to analysts at the consulting firm Altman, Vilandrie and Company.

"A mere 30% of respondents said their enterprises sufficiently funded internal initiatives centered reducing risks created by third-party IoT solutions."

The current state of affairs necessitates immediate action on the part of enterprise IoT adopters. What can IT and business leaders do to reduce the risks associated with putting into place third-party IoT assets and systems? Selecting an experienced risk management leader is the first step. Ideally, these individuals should have some technical experience as this knowledge will help them grasp the solutions they oversee and the problems that accompany them. Those with traditional IT risk management know-how must be open to changing how they operate, according to Gartner. IoT has complicated how businesses must deal with IT hazards as numerous new variables – e.g., insecure wireless internet usage – must be included in the risk management equation. Stakeholders in charge of mitigating IoT risk must eschew traditional strategies for newer methodologies attuned to enterprise IoT technology. 

With risk management leaders in place, organizations can move on to developing standardized vendor selection processes. This has traditionally been a significant pain point for enterprises implementing large pieces of digital infrastructure. Due to the explosive nature of the IoT market, there are countless options out there for businesses looking to adopt connected workflows and, many offer strong functionality. However, only top-level software and hardware providers provide layered data security controls, which are critical for firms integrating IoT into essential operations, IT analyst and Forbes contributor Janakiram MSV explained. IoT networks normally consist of multiple layers. According to the open source community Eclipse, vendors support setups with at least three primary layers:

  • Device operating system.
  • Hardware abstraction.
  • Communication support.

These components are integrated into a cohesive workflow via an overarching remote management system. Each of these layers should be protected by specialized data security controls designed to reduce risk. For example, the communication support sliver might leverage public key infrastructure or transport layer security to facilitate encryption and ensure all communications between network devices are protected.

That said, IoT risk management activities do not come to an end following the vendor signing and implementation period. Businesses must promote user best practices and leverage internal and external IT teams to continually test networks and look for vulnerabilities. Many fail when it comes to both objectives. Of the four primary mobile best practices – changing default passwords, encrypting data, restricting access and testing security systems – only 14 percent of modern enterprises have embraced all of them, according to Verizon Wireless. This must change in order for businesses to reduce the risks associated with IoT technology and stimulate growth while protecting end users, company assets and customers.

Companies that want to embrace IoT but avoid the risk management pitfalls that have affected many of their predecessors must carefully plan their implementation efforts and prepare existing infrastructure for secure mobile device usage. For most, this might involve embarking on IT modernization journeys. The Inventu Corporation is perfectly positioned to help with such efforts.

Our innovative Flynet Viewer simplifies screen integration, easing the IT modernization process while meeting employer and staff expectations in a way that feels both familiar and simple. Review our product page to learn more about the Inventu Flynet Viewer and the other solutions in our extensive portfolio.