With the IoT market on track to reach $800 billion this year and more than 2 billion connected devices already in the wild, it’s no surprise that Internet of Things (IoT) security is now a top priority for cutting-edge enterprises. The challenge? Actually making inroads. While updating stock passwords and improving employee education are helping deflect entry-level attacks, widespread distributed denial-of-service (DDoS) and botnet incidents are on the rise. It begs the question: Is better digital device defense possible, or is IoT insecurity inevitable?

Emerging Issues With IoT Security

Users aren’t certain about IoT. According to Intelligent Transport, recent survey data showed that 90 percent of consumers lack confidence in IoT security, citing concerns about leaked data (60 percent) and compromised personal information (54 percent).

These fears aren’t unfounded. One popular children’s toy uploaded thousands of unencrypted voice recordings — of both adults and children — to a publicly accessible database, as TechCrunch reported. Earlier this year, the data was compromised and ransomed.

Ninety-six percent of organizations, meanwhile, believe that governments aren’t doing enough to regulate the IoT ecosystem, with 67 percent worry that cybercriminals could seize control of their device, according to TechRadar. There’s solid data to support this concern: Last month, a new threat named IoT Reaper used existing IoT flaws to take control of more than 2 million devices worldwide, such as security cameras, network video recorders and digital video recorders. While no large-scale attacks have originated from Reaper, source code analysis indicates the presence of DDoS support, meaning it may only be a matter of time.

Standard Defense

Defense of IoT devices has been conflated with securing mobile technologies, such as smartphones and tablets, since they share basic similarities. But occasionally changing passwords isn’t good enough when access to Internet-connected sensors could give actors complete freedom to roam corporate networks.

The typical mantra of better employee training also falls flat, since just 14 percent of users and enterprises describe themselves as “knowledgeable” about IoT security, meaning there’s often confusion at both the top and bottom ends of an organization about how to effectively safeguard IoT networks. Add in the lack of standardization — some manufacturers now build in native security, while others argue that end users are responsible for securing devices — and it’s no surprise that IoT offerings are both compelling for enterprise efficiency and terrifying for their role in potential compromise.

Building a Better Mousetrap

If traditional security methods don’t stack up, how can enterprises build better IoT defense? Below are some suggestions.

Increased Visibility

In a recent Information Age article, ForeScout CIO Julie Cullivan said that “undetected devices can significantly expand an attack surface, yet are invisible to many traditional, agent-based security solutions.” Here, it’s a case of putting the cart before the horse — enterprises need tools capable of detecting all endpoints on their network before implementing any broad-based policy.


Mobile device management (MDM) and enterprise mobility management (EMM) are no longer enough. Simply managing devices doesn’t provide critical insight into how applications are used or the extent of data manipulation.

IoT security demands cognitive-enabled unified endpoint management (UEM), which both provides granular control over all endpoints, regardless of type or location, and lets professionals secure specific applications on these devices. This might be as simple as ensuring that IoT-enabled thermostats only have access to data necessary for local climate control, but without effective UEM this simple task becomes a major headache.


Security expert Bruce Schneier, CTO of IBM’s Resilient Systems, put it simply, saying: “We’re building a robot the size of the world and most people don’t even know it.” With IoT sensors that can see and hear, connected devices that can physically manipulate objects and a host of network-enabled machines devoted to processing generated data, Schneier’s assertion isn’t so far-fetched.

It lends credence to his argument that it’s time for governments to start regulating IoT. Given the massive size and scope of connected devices, corporate-level regulation can only do so much. But by creating and adopting worldwide standards, there’s hope that enterprises can collectively combat IoT threats.

So what’s the final answer? Is IoT security hopeless? Not quite. While current methods don’t stack up, parallels with cloud security suggest an improving outlook for device defense. As enterprises and governments recognize IoT networks as separate and distinct from other mobile devices, growing specialization will drive the creation of improved visibility tools, spur the innovation of advanced cognitive solutions and encourage governments to take an active role in regulation.

Listen to the podcast series: 5 Indisputable Facts About IoT Security

More from Artificial Intelligence

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Tackling Today’s Attacks and Preparing for Tomorrow’s Threats: A Leader in 2022 Gartner® Magic Quadrant™ for SIEM

Get the latest on IBM Security QRadar SIEM, recognized as a Leader in the 2022 Gartner Magic Quadrant. As I talk to security leaders across the globe, four main themes teams constantly struggle to keep up with are: The ever-evolving and increasing threat landscape Access to and retaining skilled security analysts Learning and managing increasingly complex IT environments and subsequent security tooling The ability to act on the insights from their security tools including security information and event management software…

4 Ways AI Capabilities Transform Security

Many industries have had to tighten belts in the "new normal". In cybersecurity, artificial intelligence (AI) can help.   Every day of the new normal we learn how the pandemic sped up digital transformation, as reflected in the new opportunities and new risks. For many, organizational complexity and legacy infrastructure and support processes are the leading barriers to the effectiveness of their security.   Adding to the dynamics, short-handed teams are overwhelmed with too much data from disparate sources and…

What’s New in the 2022 Cost of a Data Breach Report

The average cost of a data breach reached an all-time high of $4.35 million this year, according to newly published 2022 Cost of a Data Breach Report, an increase of 2.6% from a year ago and 12.7% since 2020. New research in this year’s report also reveals for the first time that 83% of organizations in the study have experienced more than one data breach and just 17% said this was their first data breach. And at a time when…