Internet of Things (IoT) devices are becoming an increasingly important part of enterprise environments, yet companies continue to fail at securing them properly, a recent report sponsored by ForeScout reveals.
According to the research, nearly three quarters of enterprises either don’t have efficient protection methods for their IoT devices, or are not aware of what is being used. At the other end, only 19% of organizations have a specialized agent that monitors the network, while 7% say they use a different approach to securing IoT devices, the report says.
The insecurity of products that can be included in the IoT category has been long said to put both enterprises and their customers at risk. Many such devices feature vulnerable software or re-use cryptographic secrets that make them vulnerable, yet there are also those who are sold with malware embedded in them right from the start.
However, there are also devices that, although secure on their own, aren’t properly protected once they’ve entered a company’s network, which turns them into security hazards. A recent example is the failure to secure thousands of Internet-connected printers around the world, which allowed a researcher to access them via port 9100 and to set all of them to print an anti-Semitic flier.
Produced by Webtorials and sponsored by ForeScout, the new research shows not only that many organizations lack the proper security policies for IoT devices in their networks, but also that a large number of professionals working within these organizations lack the necessary awareness regarding these devices.
People involved in the designing, deploying and operating an enterprise communications network don’t really know to which extent IoT devices have penetrated the enterprise’s network or how they are secured, the report shows.
According to the survey, conducted among professionals who “represent the technological elite in IT and Telecommunications,” 66% of respondents feel that 25% or less devices in the network are IoT. However, 85% of respondents said they aren’t confident they know all devices in the network, but nearly two-thirds of them admitted to having 6 to 15 unique device types on their networks.
When asked about the security policy for IoT, only 44% of the respondents said that their company had such a policy in place. While 26% admitted they didn’t know, 30% said no such policy was in use. Another surprising fact was that only 33% of the professionals were aware of their company’s security policy covering home networks too, while 45% said that accessing the corporate network from home wasn’t covered by the existing policy.
The report also shows that 89% of the respondents believe that it is important to discover that an IoT device is on the network, while 87% said it is important to classify IoT devices. What’s more, 86% of them found discovering/classifying without the use of an agent to be quite important.
When asked about their organization’s current primary approach to securing IoT devices on the network, 30% of respondents said that they rely on “industry or manufacturer standard methods, such as Wi-Fi, WPA22, Bluetooth protocols, etc.” 17% said they have a password on the network, 13% didn’t know and 14% weren’t aware of such protection.
As Cigital’s Jim Ivers noted in SecurityWeek column earlier this year, IoT devices are, by definition, connected to the Internet, yet plugging something to the Internet actually makes it vulnerable. The software running on these devices is what should be secured first, but only “by building a software security initiative (SSI) and creating a software security group (SSG) to ensure someone is held responsible and accountable.”
In another SecurityWeek column, Rafal Los, Managing Director, Solutions R&D within the Office of the CISO for Optiv, explains that organizations should start thinking about what IoT means for the CISO. There are numerous examples of IoT devices that make their way into an organization’s network unnoticed, and this should be addressed.
“Watches, streaming media widgets, phones, tablets and a whole host of other things are likely making their way into the office right now. You probably have a BYOD policy, but do you have an IoT policy? BYOD policies are meant to address your mobile handsets, tablets and personal laptops, but who’s addressing all the other gadgetry?,” Los said
Learn More about IoT Security at SecurityWeek’s ICS Cyber Security Conference.