Smart toys, implanted heart monitors, connected cars and other personal non-business connected devices are regularly connecting to corporate networks, prompting technology leaders to warn that significant action should be taken to prevent these devices from being used to hack into businesses.
That’s according to a new report on practices for securing the Internet of Things (IoT), commissioned by Palo Alto Networks, the global cybersecurity leader, based on a survey of 1,350 IT business decision-makers in 14 countries in Asia, Europe, the Middle East and North America.
An overwhelming nine in ten UK respondents report a rise in the number of IoT devices connecting to their networks over the last year. Among the Light Bulb, Smart TVs and connected medical devices, one red flag emerged: 45 percent of UK IT decision-makers said they need to make a lot of improvements to the way they approach IoT security, and 6 percent said that a complete overhaul is needed, amounting to more than half of those polled.
UK businesses are more likely (43 percent) than any others to have either not segmented devices onto separate networks, away from primary devices and business critical applications, or to have not started considering IoT security at all. This is compared to a global average of 29 percent and an EMEA average of 28 percent.
According to Greg Day, VP and Chief Security Officer, Palo Alto Networks, EMEA, “The research shows there’s more we need to do to close the gap in IoT security strategy, especially as technology teams deal with the proliferation of such a diversity of connected devices at a dizzying pace.”
This sentiment was backed up by Tanner Johnson, senior cybersecurity analyst at Omdia, who said, “Traditional networks are ill-equipped to handle the surge in adoption of IoT devices. Device behaviour baselines need to be established to allow for new recommended policies to help stop malicious activity. For instance, it would raise a flag if a connected thermostat started transmitting gigabytes of data to an unfamiliar site.”
Day continues, “Visibility really is key to both realising the business opportunity and understanding the risks of IoT. This is because most devices use proprietary methods, which are increasingly encrypted. If you cannot tell what a thing is or what normal looks like, how can you define what it should be able to access and why? More critically, how do you spot a change, that could be good, new capabilities or bad with the device being used as a gateway for attack.”
The survey was released as part of Palo Alto Networks’ ongoing efforts to shed light on security threats posed by the surge in deployment of internet-connected devices. Business Insider Intelligence forecasts there will be more than 41 billion IoT devices by 2027, up from 8 billion last year.
Day continues, “With the influx of IoT, including the supply chain sub-dependencies that they add, organisations should not assume they are adequately secured. There is a lack of standardisation in security controls and the value of IoT devices varies so wildly between a few to millions of pounds. So, we can’t expect the same investment in security controls when the IoT asset value varies so greatly ”
“IT and security teams need to embrace visibility of IoTs and then segment both their critical digital business assets and align IoT things only to the business processes required. In other words, micro-segmentation.”
What should organisations do?
- Employ device discovery for complete visibility – you can’t secure what you can’t see
- Apply network segmentation for stronger defence so adversaries can’t jump from unprotected devices to your critical data and systems
- Adopt secure password practices – too many IoT devices have weak default passwords
- Continue to patch and update firmware when available 5.Actively monitor IoT devices at all times
The full findings of the report can be found here.
Palo Alto Networks commissioned technology research firm Vanson Bourne, which polled 1,350 IT business decision-makers in 14 countries across Asia, Europe, the Middle East and North America.