February 14, 2019 By Sue Poremba 3 min read

The internet of things (IoT) is taking over the world — or, at least, it seems that way. According to Gartner, we can expect more than 20 billion connected IoT devices by 2020, up from just shy of 9 billion devices in 2017.

Yet as the IoT takes over the world, IoT security remains, well, pitiful. Connected devices emerged as one of the biggest attack vectors of 2018. While organizations are finally recognizing that the IoT is a threat to their overall cybersecurity, they are failing to ensure that the networks and data generated by IoT devices remain protected.

You Can’t Protect What You Can’t See

One reason why the IoT became one of the biggest attack vectors of 2018 was its invisibility on enterprise networks. According to a report from Gemalto, 48 percent of businesses admitted they are unable to detect the devices on their network. However, consumers expect businesses to have a handle on IoT security. It’s become a sort of paradox for businesses: They have to protect what they cannot see on their networks.

At the same time, IoT vendors are failing on their end by not developing devices and software with security built in — nor do they have to because there aren’t security standards for the IoT.

“Consider the operating systems for such appliances,” wrote Nick Ismail for Information Age. “How do you upgrade the OS in a wall-mounted air conditioning unit that’s connected wirelessly? Or a smart light bulb? If you can’t upgrade an operating system, how can you attempt to patch any vulnerabilities?”

That’s why cybercriminals are specifically targeting IoT devices. Their security is weak on the device/software side as well as on the network side because organizations struggle to account for all of their connected devices.

In 2018, favorite targets for threat actors included routers and firewalls. The United States Computer Emergency Readiness Team (US-CERT) put out a warning last spring that attackers were going after network devices, saying that if they can own the router, they’ll also take charge of the traffic. The alert added that a “malicious actor with presence on an organization’s internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts.” Legacy systems or systems that are never updated are low-hanging fruit for the picking.

Attacks Against Connected IoT Devices

Cybercriminals know that IoT connections and devices are easy targets, which is why experts warn that we will see an uptick in the number of specifically targeted attacks in the coming years. For example, a rise in malware that targets the medical industry, and not just medical devices themselves, but all of the IoT devices found in hospitals, such as heating, ventilation and air conditioning (HVAC) systems or wireless printers.

Threat actors are also utilizing ransomware for their IoT-based attacks. Ransomware attacks against the IoT aren’t the same as the attacks against your internal network. With an attack on a computer or server, ransomware is able to lock down your data directly. With the IoT, the data itself is in the cloud and the device can easily be rebooted, which means you won’t need to pay the ransom — that’s a lose-lose for the attacker.

Instead, ransomware attacks against the IoT are timed to hit at a critical moment, acting like a distributed denial-of-service (DDoS) attack. The ransomware will take down the device when it can’t be reset, or it takes over the system itself. For example, a ransomware attack could take over a building’s HVAC system late at night on a holiday weekend, turning the air conditioning on high until the ransom is paid.

We’ve also seen how malware can turn IoT devices into botnets and affect the functionality of other networks and devices. These botnets are expected to evolve unless IoT security improves.

IoT Security Solutions for Vendors and Organizations

IoT security is expected to gain a higher profile in 2019. Security experts predict more attacks against IoT infrastructure, more malware targeted directly at these devices and just more endpoints to defend. This means that 2019 should be the year that everyone, from vendors to organizational security teams, invest in their security approach and solutions.

On the software side, security is primarily in vendors’ hands. With greater emphasis and awareness of DevSecOps, we should expect to see a bigger push to bake security directly into devices. New privacy laws across the U.S. will also force manufacturers to give users greater control; for example, California passed a law to ban default passwords on new devices by 2020 and ensure each device has security measures built in.

On the organizational side, security teams can introduce advanced tools such as nano agents and fog computing, which allow for microsegmentation of individual devices. Fog computing is a layer between the device and the cloud, allowing for real-time monitoring of the devices, especially highly critical ones where a cyber incident could be the difference between life and death. While perhaps further off in the future, nano agents can be embedded directly into individual devices to monitor cyber risk.

The internet of things is taking over the world — and so will cybercriminals if we don’t address the security problems surrounding these devices.

More from Data Protection

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today