With the IoT market on track to reach $800 billion this year and more than 2 billion connected devices already in the wild, it’s no surprise that Internet of Things (IoT) security is now a top priority for cutting-edge enterprises. The challenge? Actually making inroads. While updating stock passwords and improving employee education are helping deflect entry-level attacks, widespread distributed denial-of-service (DDoS) and botnet incidents are on the rise. It begs the question: Is better digital device defense possible, or is IoT insecurity inevitable?

Emerging Issues With IoT Security

Users aren’t certain about IoT. According to Intelligent Transport, recent survey data showed that 90 percent of consumers lack confidence in IoT security, citing concerns about leaked data (60 percent) and compromised personal information (54 percent).

These fears aren’t unfounded. One popular children’s toy uploaded thousands of unencrypted voice recordings — of both adults and children — to a publicly accessible database, as TechCrunch reported. Earlier this year, the data was compromised and ransomed.

Ninety-six percent of organizations, meanwhile, believe that governments aren’t doing enough to regulate the IoT ecosystem, with 67 percent worry that cybercriminals could seize control of their device, according to TechRadar. There’s solid data to support this concern: Last month, a new threat named IoT Reaper used existing IoT flaws to take control of more than 2 million devices worldwide, such as security cameras, network video recorders and digital video recorders. While no large-scale attacks have originated from Reaper, source code analysis indicates the presence of DDoS support, meaning it may only be a matter of time.

Standard Defense

Defense of IoT devices has been conflated with securing mobile technologies, such as smartphones and tablets, since they share basic similarities. But occasionally changing passwords isn’t good enough when access to Internet-connected sensors could give actors complete freedom to roam corporate networks.

The typical mantra of better employee training also falls flat, since just 14 percent of users and enterprises describe themselves as “knowledgeable” about IoT security, meaning there’s often confusion at both the top and bottom ends of an organization about how to effectively safeguard IoT networks. Add in the lack of standardization — some manufacturers now build in native security, while others argue that end users are responsible for securing devices — and it’s no surprise that IoT offerings are both compelling for enterprise efficiency and terrifying for their role in potential compromise.

Building a Better Mousetrap

If traditional security methods don’t stack up, how can enterprises build better IoT defense? Below are some suggestions.

Increased Visibility

In a recent Information Age article, ForeScout CIO Julie Cullivan said that “undetected devices can significantly expand an attack surface, yet are invisible to many traditional, agent-based security solutions.” Here, it’s a case of putting the cart before the horse — enterprises need tools capable of detecting all endpoints on their network before implementing any broad-based policy.


Mobile device management (MDM) and enterprise mobility management (EMM) are no longer enough. Simply managing devices doesn’t provide critical insight into how applications are used or the extent of data manipulation.

IoT security demands cognitive-enabled unified endpoint management (UEM), which both provides granular control over all endpoints, regardless of type or location, and lets professionals secure specific applications on these devices. This might be as simple as ensuring that IoT-enabled thermostats only have access to data necessary for local climate control, but without effective UEM this simple task becomes a major headache.


Security expert Bruce Schneier, CTO of IBM’s Resilient Systems, put it simply, saying: “We’re building a robot the size of the world and most people don’t even know it.” With IoT sensors that can see and hear, connected devices that can physically manipulate objects and a host of network-enabled machines devoted to processing generated data, Schneier’s assertion isn’t so far-fetched.

It lends credence to his argument that it’s time for governments to start regulating IoT. Given the massive size and scope of connected devices, corporate-level regulation can only do so much. But by creating and adopting worldwide standards, there’s hope that enterprises can collectively combat IoT threats.

So what’s the final answer? Is IoT security hopeless? Not quite. While current methods don’t stack up, parallels with cloud security suggest an improving outlook for device defense. As enterprises and governments recognize IoT networks as separate and distinct from other mobile devices, growing specialization will drive the creation of improved visibility tools, spur the innovation of advanced cognitive solutions and encourage governments to take an active role in regulation.

Listen to the podcast series: 5 Indisputable Facts About IoT Security

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today