A survey finds vast differences in security practices linked to IoT devices in the enterprise, with attacks concentrating on insecure IoT endpoints.
On the Internet of Things, it pays to be secure. That’s the unmistakable conclusion of a new survey of some 700 product security professionals with responsibility for connected products. The survey, sponsored by the firm DigiCert, found wide disparities in the security of IoT devices, with the least secure devices six times as likely to suffer from online attacks.
The survey of 700 enterprise organizations in the US, UK, Germany, France and Japan by ReRez Research found that 100% of enterprises with the worst Internet of Things security hygiene had experienced at least one security incident, compared to less than a third (32%) of enterprises who were determined to be the most secure. And the difference had bottom line impact; among companies surveyed that are struggling the most with IoT security, 25 percent reported IoT security-related losses of at least $34 million in the last two years, DigiCert reported.
“We were shocked,” said Mike Nelson, a Vice President at DigiCert in charge of healthcare solutions. “Every single bottom tier company experienced a security misstep. They were six times as likely to experience a (denial of service) attack or data breach, more than six times as likely to have unauthorized access to an IoT device and 4.5 times as likely to be infected with malware or ransomware. ransomware,” he said.
Among companies who scored the best on security measures in the survey, DigiCert identified five common practices. Among those: encrypting sensitive data at rest and as it is sent to and from IoT endpoints. Secure IoT devices also supported secure (signed) over the air software updates that kept them on top of new vulnerabilities, Nelson said.
For organizations that struggled with security, cost and time to market were often to blame. “They’re saying ‘we’re spending money on security but is hard to monetize it or receive benefit from (the investment),'” Nelson told Security Ledger.
One message of the survey should be that the cost of not doing security can be much higher than the cost of doing it, Nelson said. “If you showed this to a CISO and said 25% of bottom tier orgs have a financial impact of $34 million or more in the last 2 years, that would get their attention.”
The biggest drivers of costs for insecure Internet of Things products were monetary damages, lost productivity, legal and compliance costs as well as a drop in stock price.
Data from the survey doesn’t single out any one industry as more or less mature. Firms in industries like consumer products, transportation and healthcare fell into the top and bottom tiers in more or less equal numbers. The differences came down to the culture of the organization, Nelson said. “You might have two organizations of similar size, but one is 2 to 3 years ahead in security maturity,” he said. Adverse incidents often provide the incentive to invest more heavily in IoT security, Nelson said.
Still, firms would do well to prioritize security. Eighty-three percent of respondents indicated that IoT is extremely important to them currently, while 92 percent said they anticipate IoT to be extremely important to their respective organizations within two years.