Last year’s cyberattack against internet provider Dyn was something of a milestone. For the first time in a large-scale campaign, the attackers didn’t go directly at their target’s servers. Instead, they pressed Mirai malware into service. This malware automatically discovers Internet of Things (IoT) devices and leverages poor IoT security, allowing the attackers to link about 100,000 of these ill-secured devices into a centrally controlled botnet. They then launched a highly successful distributed denial-of-service (DDoS) attack against Dyn’s servers.

Mirai-powered fraudsters struck again the end of last year, this time wiping out internet service for nearly 1 million Deutsche Telekom customers. Moreover, investigators suggested that the operators behind the Dyn attack may have gone public with the malware’s source code. This could potentially give other cybercriminals a leg up in developing their own flavors of Mirai to attack IoT devices.

The State of IoT Security

There are two unimpeachable truths about IoT devices. The first is that the volume of these devices is exploding. Gartner estimated that about 6.4 billion IoT devices were in use in 2016, a number the firm expects to more than triple in just three years to 21 billion.

The second truth is that these devices, which can hold massive troves of personal, operational and corporate data, are notoriously insecure. Forrester Research noted that IoT security is in its “creation phase” and doesn’t have established quality controls or standards. In fact, they are widely manufactured with few, if any, standards, and often arrive with weak default passwords.

IoT Security Spending Skyrocketing

“The affordability and compactness of computing is what places IoT technology within affordable reach,” said Scott Crawford, research director for information security at 451 Research. “Without demonstrated threats, manufacturers may see little compulsion to incorporate strong security in these devices and systems.”

Organizations are quickly ratcheting up IoT security spending. Gartner predicted that such spending would amount to roughly $550 million by next year, a figure that could skyrocket by 2020. The veritable boom of IoT devices and the pressing need to secure them could potentially lead to extreme shortages of IoT security specialists within two to three years. Bear in mind, IT professionals must secure not only the devices themselves, but also their operating systems, platforms, networks and other interconnected systems.

This all translates into extra security precautions IT leaders must apply to various routine business activities. Consider merger and acquisition activity, for example. Obviously, an overall security assessment of the target company’s infrastructure is a key requirement.

“If IoT devices are authenticated and managed through identity management systems, their integration should parallel that of IT systems and endpoints,” Crawford noted. He added that acquiring companies must assure that IoT networks and clusters are somehow segmented from unexpected exposure that may result from the transition, especially for sensitive operational environments.

Securing Your IoT Environment

What else can enterprises do to secure the burgeoning IoT environment today? For one thing, security leaders should be aware of industry groups that have taken the lead in bolstering the security of operational technologies, including IoT devices. These groups include the North American Electric Reliability Corporation (NERC)’s Critical Infrastructure Protection Committee (CIPC) for electric utilities, the Health Information Trust Alliance (HITRUST) and the Society of Automotive Engineers, which published an invaluable cybersecurity guidebook.

Crawford advised organizations to apply the same principles that they apply to overall IT security to IoT security. Strategists should include IoT deployments in broader strategies for insulating networks and systems from attacks, thus “assuring controls on access to sensitive functionality, protecting confidential data and evaluating the resilience of systems to exploit.”

Crawford also pointed out the growing number of businesses and consultancies seeking to work with enterprises wrestling with IoT security issues. It’s critical, however, to distinguish between legitimate services and vendors merely pushing their potentially insecure products.

The oncoming wave of IoT is unstoppable — although it could be slowed by governmental regulation if device manufacturers don’t step up their game when it comes to security and interoperability standards. For the near term, however, IoT security solutions will be far from standardized, especially given the number of device-makers globally. Cybercriminals know this and will likely redouble efforts to exploit IoT security gaps.

More from Endpoint

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Threat Management and Unified Endpoint Management

The worst of the pandemic may be behind us, but we continue to be impacted by it. School-aged kids are trying to catch up academically and socially after two years of disruption. Air travel is a mess. And all businesses have seen a spike in cyberattacks. Cyber threats increased by 81% while COVID-19 was at its peak, with 79% of all organizations experiencing a loss of business operations during that time. The risk of cyberattacks increased so much that the…

3 Ways EDR Can Stop Ransomware Attacks

Ransomware attacks are on the rise. While these activities are low-risk and high-reward for criminal groups, their consequences can devastate their target organizations. According to the 2022 Cost of a Data Breach report, the average cost of a ransomware attack is $4.54 million, without including the cost of the ransom itself. Ransomware breaches also took 49 days longer than the data breach average to identify and contain. Worse, criminals will often target the victim again, even after the ransom is…

How EDR Security Supports Defenders in a Data Breach

The cost of a data breach has reached an all-time high. It averaged $4.35 million in 2022, according to the newly published IBM Cost of a Data Breach Report. What’s more, 83% of organizations have faced more than one data breach, with just 17% saying this was their first data breach. What can organizations do about this? One solution is endpoint detection and response (EDR) software. Take a look at how an effective EDR solution can help your security teams. …