IoT security: Half of IT departments don’t change default passwords

Almost half (47 percent) of CIOs and IT managers have allowed IoT devices onto their corporate network without changing the default passwords – even though one of the first steps that companies are advised to take with IoT devices is to change security defaults.

This is according to research from cybersecurity company ForeScout, conducted by research group CensusWide.

According to ForeScout, there are 5.7 million registered businesses in the UK, and if the survey stats applied across all of them, then nearly 2.7 million organisations would be leaving obvious vulnerabilities for cyber criminals to exploit.

A default password can be the easiest way for hackers to work their way inside a network, causing potential damage not only to individual devices and the IoT system, but also to the whole organisation in terms of lost data or reputation.

The risk to businesses is further compounded by 15 percent admitting that they had failed to keep security patches up to date on connected devices. Only 54 percent were completely confident that they had full visibility of their system and could identify every device on the network.

Growing attack surface

Unless organisations take steps now to secure their networks, the problem can only get bigger as the number of devices increases. ForeScout reports that 40 percent of respondents said they are planning to increase their operational technology spend on connected devices.

However, 72 percent of IT managers admitted they are concerned about the security implications of adding more devices to their networks.

“The convergence between IT and operational technology is where businesses are looking to drive major efficiency gains in 2018, but it makes the challenge of knowing exactly what devices are on your network that much harder,” explained Myles Bray, VP EMEA, ForeScout.

“IoT has expanded the attack surface considerably for all firms, and without basic security hygiene it is easy for bad actors to gain a foothold and then move laterally on a network to reach high-value assets and cause business disruption. With GDPR just around the corner businesses need to act now,” he said.

Meanwhile, a recent CISO survey by research company Ponemon Institute, found that nearly half (47 percent) of CISOs were worried about a potential breach due to their organisation’s failure to secure IoT devices in the workplace.

IoT, mobile, and cloud ranked as the top three disruptive technologies for companies to secure in 2018.

However, Natan Bandler, CEO and co-founder of security company Cy-OT, suggested that most organisations are exposed to severe vulnerabilities due to IoT deployments, and so that 47 percent figure should be significantly higher.

“Attacking the IoT device itself is not the problem here. The fact is that these IoT devices have access to huge amounts of sensitive assets, and the IoT device is simply being used as a way to reach this data,” he said.

“IoT devices are the easiest way into an organisation, as they are the weakest link in a business’ cybersecurity chain. Organisations have zero visibility into these devices, and they are not protected adequately,” he added.

Considering that a significant number of companies are failing even to change devices’ default passwords, it is likely that many more will be breached in the months ahead.

Internet of Business says

While securing IoT systems can be complex, multiple reports have found that many organisations lack a strategy for doing so, while many are also ignoring basic security procedures. This lapse of judgement on their part could prove to be a serious oversight.

As vendors rush to market with more and more devices, many lack the necessary experience of enterprise-grade deployments, which creates a toxic environment in which more decision-makers are aware of the risk than are taking responsibility for fixing things.

Internet of Business is committed to providing answers to these and related problems, and not just reporting their existence.