Half of all IT leaders believe that the Internet of Things (IoT) is the weakest part of their security efforts, according to findings from security experts.
Released today, the study commissioned by Viakoo uncovers critical insights into the state of IoT security and the challenges facing IT and security executives.
The survey also indicates that over the past year, 50% of companies have experienced IoT cyber incidents, with 44% being severe and 22% threatening business operations.
“There is a ‘real-time’ factor to risk assessment of IoT security because these devices come and go and often include rogue devices that do not need access (such as a smart toothbrush in an employee’s backpack),” explained Kunal Modasiya, VP of product management, cybersecurity asset management at Qualys.
“Many organizations lack visibility into IoT devices on their networks because they rely exclusively on IP scanning or API-based integrations for their asset inventory, which cannot track those devices in real-time.”
Read more on API security: How to Comply with API Security Requirements in PCI DSS Version 4.0
According to the Viakoo report, the key to addressing these vulnerabilities is the implementation of the right technology stack for IoT security. While 90% of IT leaders believe that agentless security solutions are crucial, only a third (35%) feel successful in their efforts to remediate IoT vulnerabilities. Additionally, a majority of IT leaders (71%) express regret over not starting their IoT security plans differently to enable faster remediation of vulnerabilities.
Furthermore, 83% of IT leaders agree that their attack surface has grown one application at a time and advocate for a corresponding remediation approach.
“Building confidence in IoT Security Plans requires a multifaceted approach that encompasses various strategies and tactics to effectively mitigate risks and safeguard organizational assets,” said Sarah Jones, cyber threat intelligence research analyst at Critical Start.
The security expert added that this involves prioritizing vulnerabilities based on impact and exploitability, conducting regular risk assessments and implementing a zero-trust approach. Automating vulnerability scanning and patching expedites remediation, while standardizing configurations and integrating security into device development helps address vulnerabilities early. Partnering with trusted vendors is also crucial for ongoing security updates.
“The best tools professionals have in discussing IoT are case studies of near-peers who have run into issues and to convert the discussion from a technical perspective to risk,” commented John Bambenek, President at Bambenek Consulting.
“Boards are never going to understand the nuances of an embedded operating system, but they can understand that a competitor had an IoT breach that led to someone kicking over Active Directory and the company being down for days, causing lost revenue. Show that the risks have been realized by others and at what cost.”