Enterprises relying on legacy tech to manage IoT risks: Ponemon

There is a disparity between awareness of IoT security threats and level of preparedness, according to new research from the Ponemon Institute, which showed that many enterprises are still reliant on legacy technology.
Written by Tas Bindi, Contributor

Enterprises are not managing the risks associated with the Internet of Things (IoT), with many relying on legacy technologies and governance practices to mitigate security threats, according to the Ponemon Institute.

A recent study by the Ponemon Institute, which surveyed 553 enterprise IT decision makers, showed that most organisations are aware swathes of easily compromised IoT devices enable hackers to build massive botnets as exemplified by the Mirai botnet that crippled the internet in October.

However, 48 percent of respondents said that they are actively monitoring the risks posed by the use of IoT devices in the workplace, and nearly three quarters, or 72 percent, said the pace at which IoT technology is advancing is making it difficult to keep up with evolving security requirements.

"More and more enterprises are turning to IoT to improve business outcomes and this growth is creating a breeding ground for cyber attacks," said Dr Larry Ponemon, chairman and founder of the Ponemon Institute.

"What's shocking about these findings is the complete disconnect between understanding the severity of what a third-party security breach could mean for businesses, and the lack of preparedness and communication between departments."

Data loss or theft enabled by IoT devices will likely occur within the next two years, according to 78 percent of those surveyed, while 76 percent believe a DDoS attack involving an unsecured IoT device is imminent within the same timeframe. Either incident would be catastrophic, according to 94 percent of respondents.

Despite this, 94 percent of respondents indicated that they still use a traditional network firewall to mitigate threats, and just 44 percent believe their organisation has the ability to protect their network from potential attacks.

Sean Peasley, partner at Deloitte's Cyber Risk Services practice, recently argued that the lack of an effective IoT cybersecurity program, shortage of specialised talent, and insufficient budgets are leading most organisations to implement multiple point solutions that lack integration.

Peasley's statement is supported by the Ponemon study: 85 percent of the companies that are not tracking IoT inventory said there is a lack of centralised responsibility for devices being used in the workplace, while more than half of the companies, or 56 percent, cited a lack of resources available to perform this task.

The problem is exacerbated by the shortage of cybersecurity skills, according to professor Jill Slay, director at the Australian Centre for Cyber Security at the University of New South Wales in Canberra.

Speaking at the Everything IoT Summit in Sydney last year, Slay said network security staffers need to be upskilled, while a new generation of security professionals needs to be trained from the ground up.

"Now we're at the stage where we're trying to train a new generation of people who might have equivalent vocational qualifications to understand what the Internet of Things looks like, what breaches to the Internet of Things look like, and how in their everyday jobs they can deal with it. But as soon as we do that, we're going to have a whole generation of hackers who do that too."

IoT Alliance Australia's IoT security guideline released in February stresses the importance of incorporating security into the core design of IoT solutions, but not just at the device end. The devices need to be supported by good end-to-end architecture, as the development environment for IoT spans many languages, operating systems, and networks, the alliance said.

However, a necessary precursor to developing an appropriate trust framework, according to IoT Alliance Australia, is understanding how IoT devices self-organise and share information.

"For a route to be established, route information is transmitted from node to node (multi-hopping) until the desired destination is found. Throughout the route maintenance phase, nodes can add, delete, or needlessly delay the transmission of control information (selfish or misbehaving nodes). It is during route discovery or forwarding that malicious nodes can attack," the guideline states.

Speaking with ZDNet earlier this year, John MacLeod, Watson IoT specialist at IBM, also highlighted the importance of having "well thought through architecture".

Due of the scale of interactions taking place across an organisation's IoT ecosystem -- from the human-machine interface to the sensor-cloud interface -- MacLeod said it's critical that enterprise IT departments are aware of potential attack vectors within their architecture, including sideloading, malicious apps, and unsecure Wi-Fi networks.

"There was an incident where somebody hacked into hundreds of thousands of security cameras around the world and conducted a big denial of service because the software that had been loaded into these security cameras was not secure enough and allowed itself to be replaced by malicious software," MacLeod said.

"Connecting to a secure platform is an important aspect of security, but it's not in itself sufficient to guarantee the security of the device."

Arron Patterson, CTO APJ Commercial division at Dell EMC, explained to ZDNet previously that security is "difficult to bolt on afterwards".

"You really have to think about it at the beginning and make sure you're implementing policies and infrastructure that can respect those policies from the ground up," Patterson said.

"We've seen many many instances where datasets have been stolen or accessed and used. Once you've compromised someone's privacy and lost their trust, it's very difficult to get that back. These datasets are very valuable, there's a lot of intelligence that can be drawn from that around user behaviour and so forth, so it's well worth protecting.

"You really need to make sure that every time you collect a piece of information, you understand how you've collected it, what rights you have around it, what your consumer expects you to do with it."

Christos Dimitriadis, chair of the board of directors of ISACA, recently said that enterprises must develop a holistic approach that combines policies with the actual technology, people, and culture of the organisation.

"An enterprise risk management framework that incorporates cyber threats and links them to actual business, products, services, and brand names will help make it certain that steps toward cybersecurity will be made," Dimitriadis said. "It's about recognising the problem and understanding the relevance of the threats to the business."

Editorial standards