IoT May be a Hacker’s Delight, Both Inside and Out

Security is the Achilles Heel of IoT, and IoT may be the Achille’s heel of today’s enterprise networks. Those are the conclusions of two recent industry surveys, which are sounding the alarm over the vulnerability of IoT devices to tampering, hacking or other incidents.

Three in five respondents to a Ponemon Institute and Keyfactor survey of 603 IT and security professionals (60%) say they’re adding additional layers of encryption technologies to secure IoT devices, but 46% admit low ability to maintain IoT device identities and cryptography over device lifetime.

See also: NIST Publishes Draft Security Recommendations For IoT Manufacturers

Accordingly, securing IoT devices and staying ahead of certificate expiration have become top strategic priorities for IT teams. Emerging connected devices present a significant challenge for enterprises, as attackers seek to exploit weak credentials to steal data, disrupt services or distribute malware. When asked to rank their top three strategic priorities for digital security, 48% of respondents prioritized authenticating and controlling IoT devices, while another 43% say knowing the expiration date of certificates is critical.

Another survey of 540 IT professionals from Extreme Networks reveals security precautions are “falling flat” and businesses underestimate the pervasiveness of insider threats. Eighty-four percent of organizations have IoT devices on their corporate networks. Of those organizations, 70% are aware of successful or attempted hacks, yet more than half do not use security measures beyond default passwords. “The results underscore the vulnerabilities that emerge from a fast-expanding attack surface and enterprises’ uncertainty in how to best defend themselves against breaches,’ the survey report’s authors state.

A majority of professionals, 55%, believe the main risk of breaches comes mostly from outside the organization. At the same time, more than 70% believe they have complete visibility into the devices on the network.

Nine out of 10 IT professionals are not confident that their network is secured against attacks or breaches. Financial services IT professionals are the most concerned about security, with 89% saying they are not confident their networks are secured against breaches. This is followed by the healthcare industry (88% not confident), then professional services (86% not confident). Education and government are the least concerned of any sector about their network being a target for attack.

Skills shortage and implementation complexity are also hampering security measures. One-third of all security deployment projects fail, and the top reasons for unsuccessful implementations are a lack of qualified IT personnel (37%), followed by too much maintenance cost/effort (29%), and implementation complexity (19%).