I’ll give you fair warning — what I am about to say is going to blow your mind: Connected devices are insecure. Take a moment if you need it.

While I jest, these realities are not breaking news. But if the devices themselves are insecure, is end-to-end security of the Internet of Things (IoT) even possible? And if it is possible, is it so costly that only the big guys can afford it?

Keeping Pace With IoT Security Threats

The threats from these devices will only increase, given that the number of connected devices is expected to proliferate to 125 billion by 2030. As the device population increases, so does the population of cybercriminals who can seize control of corporate devices with very affordable and widely accessible distributed denial-of-service (DDoS)-as-a-service products.

IoT security has been a top cybersecurity concern for the past three consecutive years. However, IoT developers lag when it comes to building security into devices. In fact, some developers have conceded to the challenges of securing every line of code and have begun securing critical systems exclusively. By failing to protect lines of code that are deemed less critical, these developers leave backdoors open to attackers.

The U.K. government recently called for device manufacturers to build security into their products. While there are currently no regulations related to IoT security, the hope is that this decree will make devices themselves more secure. However, as Mark Weir, director of cybersecurity at Cisco U.K. and Ireland, explained, “To ensure our nation collectively remains safe, we must ensure that smart devices are connected to a network that is equally as secure end-to-end, providing full visibility to any threats as they emerge so that they can be contained and dealt with responsibly.”

Enterprises that rely on the widespread use of connected devices for business productivity need to understand how to achieve strong network security. To that end, a recent Institute of Electrical and Electronics Engineers (IEEE) white paper offered best practices for securing connected devices, networks and IoT systems. When talking about IoT security, many leaders in the industry believe that new and emerging technologies have the potential to make end-to-end security not only possible, but also financially feasible.

Shifting Left of Boom

Mustering the resources to defend organizations in today’s complex digital environment takes grit. The beloved Atticus Finch of Harper Lee’s famous “To Kill a Mockingbird” might even say that it takes courage: “It’s when you know you’re licked before you begin but you begin anyway and you see it through no matter what. You rarely win, but sometimes you do.”

Josh Lefkowitz, CEO and co-founder of Flashpoint, echoed Finch’s sage advice: “The landscape is so incredibly complex, dynamic and multivariable that no solution on earth is ever going to deliver 100 percent proactive coverage,” he said. However, organizations should strive to be as “left-of-incident” as possible, thereby minimizing the window during which attackers can inflict damage.

But how can security teams get left of boom when the task of manually monitoring network devices and system administrators is so resource- and time-intensive? According to Chris Morales, head of security analytics at Vectra, “It is crucial to have visibility inside the network that can adapt to the dynamics of growth and change.” Organizations should also invest in technology that automates real-time analysis of communication, administrators, devices and human behaviors.

Any conversation about security must also look at issues with legacy systems, according to Jon Oltsik, senior principal analyst at ESG. There are numerous tools available for managing mobile and endpoint devices and protecting data, all of which require administrator training and different management consoles that must be tested, deployed and operated. Organizations should consider whether a unified endpoint management (UEM) platform is a viable solution for the challenges in their environments.

“These days, we have public clouds, big data technologies, open source, artificial intelligence, etc. In other words, modern compute, network and storage technologies should be able to overcome the challenges we faced 20 or more years ago,” Oltsik wrote.

No Easy Fix for End-to-End IoT Security

The problem is that IoT security is not an easy fix, as noted by Kamal Anand, vice president of cloud business unit at A10 Networks, in a 2017 report titled “Cybersecurity in an IoT and Mobile World.” The report shared expert opinions on how to change the tide of the cybersecurity arms race. Like Oltsik, Anand said he is optimistic about technology and the potential of AI and machine learning to help gain some ground on the virtual battlefield.

By implementing device security, data protection and cognitive risk management tools while proactively gathering threat intelligence across the IoT landscape, organizations can build toward end-to-end security. Successful IoT security efforts start with knowing the risks to the network and understanding the way IoT devices interact with corporate data. Security teams should also be sure to change default passwords and credentials. These basic best practices can help security leaders make a stronger business case for investing in the tools and resources necessary to proactively defend against IoT threats.

Listen to the podcast series: Five Indisputable Facts about IoT Security

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…