December 12, 2016 By Scott Koegler 3 min read

Once seen as just a utility to monitor and control a variety of devices, the Internet of Things (IoT) has become a reality. Devices available for IoT deployment range from household products like thermostats and garage door openers to units that control manufacturing systems and robotic devices. Unfortunately, many of these systems were designed without sufficient consideration given to security implications.

I spoke with Emmanuel Schalit, CEO of password management vendor Dashlane, about four challenges IT managers face regarding IoT security.

IoT Complexity

How does the complexity of an IoT deployment impact security and how do enterprises need to protect themselves? According to AT&T’s “CEO’s Guide to Securing the Internet of Things,” 85 percent of enterprises plan to deploy IoT devices, but only 10 percent feel confident that they can secure those devices against cybercriminals. That’s worrisome, considering there are more than 5 billion internet-enabled devices in use today, with more than 20 billion expected by 2020.

“While most hacking of IoT centers on the actual devices themselves, oftentimes the back-end systems that control these devices are just as susceptible to attacks,” Schalit explained.

“So it really begins at the enterprise level, as devices are usually installed inside the secure perimeter of an enterprise network. Unfortunately, that perimeter can be easily penetrated or disabled. On top of that, insider threats, whether malicious or accidental, make up 70 percent of cyberattacks, and they usually originate inside that perimeter. So security is twofold: Secure the network and the things themselves.”

Vulnerabilities Are Everywhere

“Research has repeatedly shown that many IoT device manufacturers and service providers are failing to implement common security measures in their products,” said Schalit. “Consider the fact that many of the IoT devices will have long lives (microwaves, fridges, etc.) and very limited user interface [UI]. Most of them will contain known vulnerabilities for years. IoT devices are everywhere, which means vulnerabilities are everywhere.”

At-risk environments include homes, personal communication devices, automobiles, manufacturing environments, offices and more.

Inexperience and Fragmentation

“The first problem is that many organizations often lack tools and policies to monitor and secure the device,” Schalit explained. According to a recent ForeScout Technologies survey, 30 percent of organizations surveyed lack a specific security solution for their IoT deployment. Additionally, more than a quarter said they did not know if their companies had IoT security policies.

“There is often much fragmentation within enterprise IT,” Schalit continued. “Operations is separate from the information security group, which creates many issues for identifying and managing these technologies. Additionally, passwords ignore the border between home and work. The same person is using the same digital accounts on both sides, as we all do personal things at work and work at home. The same holds for the exposure. An employee who uses the same poor passwords for his personal accounts and his work accounts puts his entire organization at risk.”

Password managers and managed identity services are some of the ways companies can help manage the issue.

Lack of Visibility

As Schalit wrote on Dashlane’s blog: “People are digitizing details of their life at a rapid pace, but they are not replicating basic real-life security behavior. Just think how many people still use the same password for several websites. … Many people tend to underestimate the risks they encounter while using the internet and think they can simply reset their email or cancel bank transactions if they are hacked.”

The nature of cyberrisk has changed. A few years ago, a digital risk was fully contained in a personal computer. Companies protected themselves with antivirus and firewall software. Today, the risk is in the cloud and the devices that connect to it — that is to say, everything.

More from Cloud Security

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Cloud threat report: Possible trend in cloud credential “oversaturation”

3 min read - For years now, the dark web has built and maintained its own evolving economy, supported by the acquisition and sales of stolen data, user login credentials and business IP. But much like any market today, the dark web economy is subject to supply and demand.A recent X-Force Cloud Threat Landscape Report has shed light on this fact, revealing a new trend in the average prices for stolen cloud access credentials. Since 2022, there has been a steady decrease in market…

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today