Nearly three quarters (72 percent) of senior IT professionals say that the pace of innovation in IoT and varying standards for security are making it hard to ensure that IoT devices and apps remain secure.
That’s according to a study sponsored by risk management consultancy Shared Assessments and conducted independently by research organization Ponemon Institute.
Ponemon Institute surveyed 553 individuals who had a role in the risk management process and are familiar with the use of IoT devices in their organizations. It was clear that these IT professionals were aware of the IoT security risks – with 94 percent of them stating that it was ‘very likely’, ‘somewhat likely’ or ‘likely’ that a security incident relating to unsecured IoT devices or applications could be “catastrophic”.
Read more: ENISA works with industry on IoT cybersecurity requirements
A question of priorities?
However, 42 percent of respondents said that their organisation found it difficult to manage the complexities of IoT platforms because of the number of vendors, while more than three-quarters (76 percent) said their company did not include the secure use of IoT devices in training or awareness programs and more than two-thirds (68 percent) said their business did not evaluate the IoT security risks as part of the on-boarding process for third parties.
The research found that their approaches don’t take innovation into account. More than half (55 percent) of respondents considered IoT devices to be endpoints to their network or enterprise systems, but only 44 percent said their organizations monitored the risk of IoT devices used in the workplace.
In fact, only 16 percent of those surveyed said their organizations kept an inventory of managed IoT devices and applications. When asked why, the main reasons given were that there was no centralized control over IoT devices and applications used in the workplace (85 percent), there was a lack of resources to track IoT (56 percent), or that it simply wasn’t a priority (41 percent).
This suggests that many organisations are still relying on legacy security methods to protect their network from insecure IoT devices or applications. Traditional network firewalls (94 percent), anti-malware software (91 percent) and intrusion prevention systems (78 percent) were the top three ways respondents said their organizations protected their network from insecure IoT devices and apps. The report suggests that businesses needed to look at new IoT security innovations.
Read more: No more security through obscurity for IoT device makers
The four ‘v’s’ that equal vulnerability
There are numerous IoT management products available from the biggest vendors such as Google, Amazon and Microsoft, as well as start-ups, with an increasing number of new IoT products available on the market. However, despite the rise of internet-connected devices and innovation in products to manage these devices, Rob Bamforth, analyst at IT advisory company Quocirca, doesn’t believe that it is the pace of innovation that is making it difficult for enterprises to beef up their IoT security practices.
Instead, he suggests that enterprises have to contend with several different types of problems all at once, which make it tougher to ensure that their IoT devices and apps are secure.
This includes the volume of devices, the variety of applications, the velocity of data and the veracity of users.
“In big data, those four ‘v’s’ add up to ‘value’ – but in IoT they add up to ‘vulnerability,” he says.