A growing number of IT security professionals are concerned about Internet of Things-related cyberattacks, but far fewer are doing anything to ensure their corporate networks are protected from such threats, according to a new survey.
The Internet of Evil Things survey, released by cybersecurity vendor Pwnie Express on Wednesday, highlights how IT professionals are still figuring out how to handle security matters for the legions of new, non-traditional devices coming online in corporate networks. The survey is based on responses from 582 IT security professionals at companies of all sizes.
Some 64 percent of respondents said they are more concerned about device threats than they were last year, with IoT devices being the chief concern. At the same time, one-third of respondents said their organizations were not ready to detect connected device threats.
Concern and preparation for different kinds of connected devices also varied by large margins. For instance, 80 percent of respondents put employee-owned devices as a concern while only 47 percent said they had monitoring capabilities for such devices. Meanwhile, 49 percent said consumer IoT devices, like smart watches, are a concern while only 23 percent could monitor them. For malicious or purpose-built rogue devices, 51 percent said they were concerned but only 24 percent could monitor the devices.
"With this new phenomena of Internet of Things, I think that's very different than what's been handled by traditional IT security. I think things are complicated, I think the stakes are higher in general, and there's a limited amount of security expertise," Pwnie Express CEO Todd DeSisto told CRN. With those elements combined, it makes the issue more difficult to attack, he added, which is why IT capability doesn't match the current level of concern.
The survey also found that IT security professionals weren't checking wireless devices for malicious infections as much as they were last year. In 2017, 46 percent of respondents said they most recently checked their wireless devices last week while only 43 percent said they did so this year. Meanwhile, the detection and mitigation of connected device threats remain a high priority for 63 percent of respondents, about the same as last year.
Brian Salisbury, vice president of product management at Melville, N.Y.-based solution provider Comtech Telecommunications, told CRN that some of the deficiencies that companies have in IoT security relate to legacy systems in corporate environments, which weren't designed with modern security concerns in mind.
"Security is hard to add after the fact," he said. "It really needs to be architected in from the beginning."
When it comes to which kind of organization is better equipped to deal with IoT threats, the survey found that small- to medium-sized businesses have better practices than enterprises despite having fewer resources, similar to the results from last year. For instance, 62 percent of SMBs had knowledge of how many devices are connected to their network while only 47 percent of enterprises did. There was a similar ratio for how many organizations made monthly checks of wireless devices for infections. Meanwhile, 71 percent of SMBs had a complete inventory of connected devices on their network while only 49 percent of enterprises did.
"Because they are smaller, things are more manageable and therefore they can add some resources to it and get control it," DeSisto said.
Another pressing issue is the lack of input IT security professionals have in purchasing decisions. Only 32 percent of respondents said all device purchases must be cleared by IT professionals while 61 percent said that wasn't the case. For consumer IoT, industrial IoT and operational technologies, less than 50 percent said they had a role in approving the technology.
DeSisto said many IT security professionals have been excluded from these kinds of purchasing decisions because non-IT staff have been bringing new devices into the network for productivity purposes while ignoring security concerns.
"Not everything is being funneled through them like in the past," he said.
There was also a widespread lack of specific security policies surrounding connected devices among the survey's respondents. While 75 percent said they have security policies for traditional IT devices, less than half had policies for operational technology, industrial IoT, consumer IoT and employee-owned devices. Only 35 percent of respondents said IT professionals check to ensure that devices are compliant with security policies.
As for who should be responsible for connected device security, 61 percent said IT security, 19 percent the device's buyer, 13 percent the device's manufacturer and 7 percent the systems integrator or value-added reseller. Nearly 40 percent of respondents said they believe the government should regulate security standards for IoT.
DeSisto said that while awareness of connected device security has been growing, he doesn't expect it to become a more important issue until a major attack happens. There have already been significant security events, including the 2016 Mirai botnet that infected consumer IoT devices and took down large parts of the Internet.
"Unfortunately, it's going to be when something really bad happens where you're finally going to get everyone's attention," he said. "To a certain degree, that's human nature. Inertia is a powerful force."
Underlying that statement was perhaps one of the survey's most troubling finding: 85 percent of respondents said they believe their country of origin will suffer a major cyberattack on critical infrastructure in the next five years.
"Whether you're in the industry or not, that should get your attention," DeSisto said.