The State of IoT Security: Enterprises Are Leaving Their Front Doors Unlocked

Chris Rouland -
Enterprise security
Illustration: © IoT For All

Companies are spending billions to protect their networks as they move to the cloud. Bloomberg expects cybersecurity spending to exceed $200 billion a year by 2024, with network and endpoint security segments likely to see the most significant growth. The majority of that spending is dedicated to migrating from on-premises networks to cloud networks and the security challenges that come with that move. However, even with that gargantuan sum of money being spent by enterprises across the country, most businesses are still leaving their networks completely vulnerable as the hundreds of thousands of IoT devices situated on an organization’s network are serving as Trojan Horses for hackers.

In the last year, we’ve seen an abundance of IoT manufacturer hacks, such as ones at Sierra Wireless, Verkada, and Garmin, and there’s no sign of these attacks slowing down.

To put it simply, security is not a priority for Internet of Things device manufacturers. Manufacturers often lack the security expertise and the technical resources to integrate more sophisticated security protocols into their products. Many IoT devices implement new protocols, platforms, and solutions that have not been thoroughly vetted for security issues, resulting in vulnerable products. Luckily, Congress passed the IoT Cybersecurity Improvement Act late last year, which requires that any IoT device purchased with government money meets minimum security standards. While this bill focuses on IoT devices procured and used by the federal government, it’s a good set of guidelines for manufacturers that need to improve the security of their products. More stringent rules and requirements to govern IoT manufacturers will lead to fewer IoT security problems.

Organizations are bulking up existing tools to fend off attackers but are leaving their flanks exposed as IT teams do not have accurate records of their IoT devices. In other words, security executives are letting IoT security slip through the cracks.

Front Doors Unlocked

The average executive believes IoT devices make up 1% of their network; in reality, these devices actually make up about 43% of the access points. Gone are the days where PCs are your main concern. The compound annual growth rate (CAGR) for laptops is 0.3% growth, and the CAGR for IoT is 35.49% growth. With such a wide variety of IoT devices in the home and the office, it is easy to overlook the devices bad actors see as an opportunity in almost every vertical.

One reason that many devices are overlooked is that they fall outside the purview of the IT department and are completely absent from their radar. Most notably are cameras. Earlier this year, a hacker successfully exposed businesses, police departments, schools, jails, and hospitals by hacking into nearly 150,000 Verkada security cameras set to their default security settings. It set off a firestorm. Another easily overlooked device, essential both at home and in the office, is the printer. Because it’s easily connected over Wi-Fi, Bluetooth, etc., there are a significant amount of exposures, most with default credentials and thus vulnerabilities.

When devices are overlooked, they are not cared for. Out of 1 million customer IoT devices evaluated over the last year, 50 percent were found to have vulnerable firmware. Most were five to seven years behind on their updates, making them a straightforward target for hackers. Another 50 percent of those devices had default credentials, which are easily guessed then used by hackers to access the network. Regular patching, firmware updates, and credential changes are essential to basic security hygiene for all parts of the network and apply to devices.

To illustrate the depth of unknown device issues, an evaluation of more than 1 million customer IoT devices over the last year showed that 26 percent are end-of-life, meaning they are no longer supported. And, 18 percent of devices have critical vulnerabilities that would allow bad actors to take full remote control of them without using credentials. Without access to updates and no security fixes available, these devices need to come off the network or at the very least be segmented.

Out With the Old

Segmentation, the legacy approach to IoT device security, is no longer the most effective security measure available. Segmentation quarantines a device, or a group of devices, on a separate network, theoretically keeping insecure devices away from anything important. While segmentation alone is a solution, it is not a permanent one.

Even when segmented, insecure devices can still pose a threat through additional vector exposures, VLAN hopping malware, and other entry techniques. That’s why it’s also important to inoculate devices against vulnerability rather than segment them away.

Inoculation ensures that patches and firmware are up to date, credentials are rotated according to policy, and maybe most importantly, an accurate device inventory is kept that includes actionable data on device health.

It is impossible to secure every IoT device globally, but through automation, you can control your enterprise.
By 2025, it is estimated that there will be over 55.7 billion IoT devices in the world. There can be hundreds, thousands, or even hundreds of thousands of vulnerable endpoints that bad actors can use to infiltrate the network within a single organization. Therefore, putting a plan to manage, monitor, and secure connected IoT environments is crucial.

Security Hygiene

It takes four hours per year to conduct basic security hygiene measures for a single IoT device. When you look at that en masse then multiply it by all IoT devices on an enterprise’s network, it becomes infeasible to secure all these devices by hand. Automating basic security hygiene measures, including inventory management, patching, and credential management, can help already overtaxed IT teams keep up with device sprawl. Automating IoT security is also cost-effective, enabling security teams to focus on more important matters and be better protected against attacks.

As IoT devices continue to increase their footprint, now fortified with the power of 5G, a deeper understanding of the IoT market and how organizations should approach IoT security is needed. As the world prepares for the estimated 55.7 billion IoT devices to come online in the next four years, there should be an increased emphasis on stronger security measures built into devices and more proactive IoT security approaches taken by organizations.

Chris Rouland - CEO and Founder, Phosphorus Cybersecurity

Guest Writer
Guest Writer
Guest writers are IoT experts and enthusiasts interested in sharing their insights with the IoT industry through IoT For All.
Guest writers are IoT experts and enthusiasts interested in sharing their insights with the IoT industry through IoT For All.