Trustwave today released the "IoT
Cybersecurity Readiness Report" which assess the current and future
use of Internet of Things (IoT) technologies and corresponding security
practices and implementation challenges across organizations in a
wide-range of industries. Astonishingly, although most organizations
surveyed plan to increase adoption of IoT into operations, only 28
percent consider security strategies specific to IoT as "very important."
Osterman Research conducted the survey on behalf of Trustwave, primarily
with midsize and large organizations with a median of 1,000 employees
per organization. Individuals with applied security experience or
knowledge were targeted. A total of 137 surveys were completed in
November 2017.
Key findings from the Trustwave IoT
Cybersecurity Readiness Report include:
-
IoT use is growing rapidly - Sixty-four percent of
organizations surveyed have deployed some level of IoT technology, and
another 20 percent plan to do so within the next 12 months. The result
will be that by the end of 2018, only one in six organizations will
not be using at least a minimal level of IoT technology for business
purposes.
-
Security concerns cited as top barrier to increased IoT adoption
- Although greater than half surveyed plan on increasing use of IoT
technologies, 42 percent are either unsure or have no plans to
increase use. Fifty-seven percent cite security concerns as the number
one barrier to greater IoT adoption, followed by "not relevant to
operations" at 38 percent and "lack of budget" at 27 percent.
-
Disparity between IoT use and security - Only 28 percent of
organizations surveyed consider that their IoT security strategy is
"very important" when compared to other cybersecurity priorities
within the organization. More surprising, however, is that greater
than one-third believe that IoT security is only "somewhat" or "not"
important.
-
Most have already experienced an IoT-related security incident -
Sixty-one percent of those surveyed who have deployed some level of
IoT technology have had to deal with a security incident related to
IoT. While most of the reported incidents involved actual attacks
- e.g., malware infiltration (24 percent of the organizations
surveyed) and successful phishing and/or social engineering attacks
(18 percent), some were merely attempted attacks, such as
misconfiguration attacks (11 percent). Additionally, organizations can
be attacked by IoT devices from outside sources even though they have
no IoT devices deployed internally. Overall, most believe they will
experience an IoT security problem in the future, with 55 percent
believing it will happen during the next two years.
-
Lack of patching policies and procedures - Only 49 percent of
organizations surveyed have formal patching policies and procedures in
place, and only about one-third patch their IoT devices within 24
hours after a fix becomes available.
-
Insufficient risk assessment for third-party partners and testing
of IoT vendors - Fewer than one-half of organizations consistently
assess the IoT security risk posed by third-party partners, another 34
percent do so only periodically, and 19 percent don't perform
third-party IoT risk assessment at all. In addition, only 70 percent
of organizations perform their own security testing or piloting of
these devices, only 54 percent use published reviews, and only 32
percent use third-party testing services. Many (47 percent) rely on
vendors' security claims.
-
Confidence in IoT security is not high - Only 10 percent of
those surveyed are "very" confident that they can detect and protect
against IoT-related security incidents, while 62 percent are only
"somewhat" or "not" confident that they can do so. The combination of
a low emphasis placed on IoT security, the sizeable proportion of
organizations in which security incidents have already occurred and
the perception that future security incidents are a virtual certainty
leaves decision makers with little confidence that they can defend
against IoT-related security incidents.
"Any device or sensor with an IP address connected to a corporate
network may open the doors to a devastating security incident," said
Lawrence Munro, vice president SpiderLabs at Trustwave. "As IoT adoption
continues to proliferate, manufactures of IoT are sidestepping security
fundamentals as they rush to bring products to market. We are seeing
lack of familiarity with secure coding concepts resulting in
vulnerabilities, some of them a decade old, incorporated into final
designs. Because updating IoT devices by nature is more challenging,
many remain vulnerable even after patches are issued, and often patches
are not even developed. Organizations need to properly document and test
each internet-connected device on their network or face introducing
potentially thousands of new attack vectors easily exploitable by
cybercriminals."
"Interestingly, the security of IoT was identified as the leading
barrier to greater adoption," noted Michael Osterman, principal analyst
with Osterman Research. "There have been numerous IoT-related security
problems in the recent past and the problems will only get worse until
decision makers make security the key issue in their selection and
deployment of IoT-related devices."
Download Report
To download a complimentary copy of the "IoT Cybersecurity Readiness
Report," which includes recommendations by Trustwave security experts,
visit: https://www2.trustwave.com/IoT-Security-Report.html.