Organizations across all industries are looking to the internet of thing (IoT) to improve efficiency, better understand customers to deliver truly memorable and competitive experiences, improve decision-making, and increase the value of the business.

As a direct result, the endpoint ratio is changing at an even faster pace than we may realize, with these unmanaged devices growing more quickly than the PC and mobile revolutions combined. Armis estimated that by 2021, up to 90 percent of enterprise devices will be unagentable. Similarly, by 2021, 20 percent of all cyberattacks will be executed through the IoT by 2020. Unfortunately, the risk associated with these new unmanaged and IoT devices is also skyrocketing.

Let’s dive into the details behind this rapidly growing risk by answering three key questions.

1. What Is Enterprise IoT?

Core to the movement dubbed the fourth industrial revolution — or Industry 4.0 — enterprise IoT can be described as physical things embedded with computers to help efficiently solve and optimize business opportunities and challenges. Many enterprises will continue to look to the IoT as they protect and claim market share alongside both traditional and nontraditional competitors.

Examples of devices that apply to most enterprises across all industries include VOIP phones, office and facility video and security cameras, printers, temperature sensors and controls, smart lighting, smart TVs, vending machines, and more. There are also many IoT applications focused on responding to industry-specific problems and opportunities, such as retail beacons, quality control sensors, vehicle and building refrigeration unit temperature sensors, magnetic resonance imaging (MRI) machines, infusion pumps, automated guided vehicles (AGVs), prototype printers, and more.

These are not consumer-grade devices. These devices are being implemented in a multitude of use cases ranging from employee satisfaction and standard operations to the real-time handling of 24/7, business-critical transactions and manufacturing. As such, they are core to business collaboration and operations today.

2. Why Is Security an Issue for These Devices?

Enterprise IoT devices are computers with operating systems and inherent network capabilities, just like the PCs or servers for which we’ve been managing risk for decades.

However, unlike PCs or servers, they have no security. Most of these computers are purpose-built, walled off black boxes. That means security agents often cannot be installed, patching can range from difficult to impossible, and traditional scanning solutions struggle to understand what these computers are, let alone their associated risks or exposures.

These devices are hiding in plain sight and growing at a compound rate of 29 percent annually, according to Armis. On average, these devices now make up over 40 percent of the technology in enterprise environments and are running toward the 90 percent mark mentioned earlier.

The solutions we’ve long used to discover traditional computers, assess and manage related exposures and risks, and detect and respond to potential attacks were not designed with unagentable devices in mind. Hackers are more than aware that enterprise IoT is not being monitored or protected at a comparable level to traditional devices and software.

In turn, and as seen on numerous prior occasions with new and evolving risk frontiers, bad actors are already focusing their efforts on this weakest link. Look no further than Microsoft’s report on Strontium, released during Black Hat 2019, to appreciate the investments already being made by bad actors targeting enterprise IoT.

3. Is This Really an Issue?

Let’s begin by answering this question with another question: If an environment is running without the ability to discover at least 40 percent of its traditional PC or server assets, assess each asset’s state of risk, and detect, protect against, and respond to cyberattacks occurring on or through the assets, is this an issue?

Most would answer yes without hesitation. We know our PCs and servers are being targeted regularly, and through years of practice and iteration, we are confident in our ability to respond to this challenge. We also know that any delay in execution could allow a cyberattack to occur. We need to look at enterprise IoT from the same perspective and with the same level of criticality if we are to continue to safeguard our operations and brand at a level of efficacy comparable to our current programs.

This should begin with a visibility effort. Understand what you have, what it’s doing, unagentable device exposure levels and whether any such devices are actively compromised. Once you know what you have, you can source the solution that works best for your enterprise.

Learn More About Enterprise IoT Security

To learn how organizations are adopting a new way to enable Threat Management for Enterprise IoT devices, register for the Nov. 6 webinar.

Register for the webinar to learn more

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read