46% CIOs & IT decision makers have no control over IoT devices in their networks
April 5, 2018
A recent survey has highlighted how a large number of businesses in the UK are, to a greater or lesser degree, careless about the security of their devices and applications and are thus leaving their doors open for cyber criminals and fraudsters.
The survey of 500 CIOs and IT decision makers conducted by ForeScout and CensusWide revealed that while 15 percent of them do not keep security patches up to date, almost half of them (47 percent) do not change default passwords in IoT devices before linking such devices to their corporate networks.
As many as 46 percent of all businesses also do not have full visibility over devices connected to their corporate networks, which means that they cannot identify every device, let alone patching them or testing them for vulnerabilities.
“The convergence between IT and OT is where businesses are looking to drive some major efficiency gains in 2018, but it makes the challenge of knowing exactly what devices are on your network that much harder,” said Myles Bray, vice president of EMEA at ForeScout.
“IoT has expanded the attack surface considerably for all firms, and without basic security hygiene it is easy for bad actors to gain a foothold and then move laterally on a network to reach high-value assets and cause business disruption. With GDPR just around the corner businesses need to act now,” he added.
Commenting on the results of the survey, Natan Bandler, CEO, and Co-Founder of Cy-OT, said that he is not surprised to see so many UK businesses having poor visibility over their IoT devices and consequently leaving themselves vulnerable to IoT hacks.
"Even though, according to this research, 85% of businesses are keeping patches up to date, it is basically irrelevant. You can’t expect all devices to be patched; in fact there are often not even relevant patches available for all IoT devices. Organisations should not trust the IoT device itself, patched or not. It needs to protect itself and put mechanisms in place to secure its data and sensitive assets, especially as some of the IoT devices may not belong to the organisation itself.
"What is needed is a dedicated cybersecurity solution that is monitoring both the IoT device and its activity, 24 x 7. By doing this, an organisation will be able to detect when and which devices are at risk. The answer does not lie within the device itself, but with a solution that your Security Operations Team can control,” he adds.
The agency took the example of the Mirai botnet which infected "tens of thousands of devices, mostly Internet routers, with weak password security" in 2016 and then used the affected devices in coordinated distributed denial of service (DDoS) attacks against websites worldwide.
"Attacks on IoT devices such as internet connect fridges, TV’s, smart home devices etc. are down to flaws in the software running on them, and attacks will continue to happen until those flaws are dealt with. Good practices by vendors around configuration and authentication need to be initiated or matured to prevent this in future," said Adam Brown, manager, security solutions at Synopsys.
"I would love to see certification for IoT devices become commonplace so that consumers can know that the devices are cyber safe, much in the same way that if you buy a toy with a CE mark you know it has been through a process of assessment and it won’t, for example, poison anyone because it has lead in its paint.
"A certified IoT device will be less likely to lend itself to a hacker to steal from you, use you as a place to attack others from, or use your electricity to mine cryptocurrencies for themselves," he adds.
Jay Jay is a freelance technology writer for teiss. He has previously written news articles, device reviews and features for Mobile Choice UK website and magazine, as well as writing extensively for SC Magazine UK, Tech Radar, Indian Express, and Android Headlines.