Corporate-Owned IoT Devices Are High Risk & ‘Under Siege’, Experts Warn

Why Trust Techopedia

The first quarter of 2024 has been about artificial intelligence (AI) and what it can and cannot do, so it’s no surprise that organizations have focused on it.

However, the Internet of Things (IoT) is close to AI on the priority list—according to IoT Analytics, it was reported as one of the three corporate priorities in 2024.

Despite its potential to streamline operations and boost efficiency, the IoT firm Asimily warned that as businesses push on with their IoT strategies there is also a parallel growth in IoT security vulnerabilities.

Last year, a Zscaler report indicated a 400% growth in IoT malware attacks, a testament to how poorly secured IoT devices can present a tempting target for cybercriminals.

Factoring in the above numbers reveals one thing: corporate reliance on IoT devices could leave organizations more vulnerable to security incidents than we think.

All these beg the question: how are organizations prepping themselves for corporate IoT security challenges in 2024?

To answer this and more, we explore key trends in IoT security and seek expert opinions.

Key Takeaways

  • Corporate IoT devices are increasingly becoming targets for cyberattacks, with a reported 400% growth in IoT malware attacks last year.
  • There is a disconnect between networking and security teams when it comes to prioritizing IoT device risks. This lack of cohesion creates dangerous blind spots.
  • IoT-related security breaches tend to be costlier for organizations compared to conventional cyberattacks.
  • DDoS botnets are making a comeback and may increasingly target hybrid workers’ IoT devices as entry points into corporate networks.

Security Teams At Odds Over Prioritizing IoT Device Risks

One of the key issues raised in a recent IoT security trends report by Forrester is that there is a disconnect between networking and security leadership teams around IoT security. This lack of synergy in direction is a huge concern and poses several implications.

The report found that while corporate IoT devices have been the most common target in cyberattacks against businesses, security leaders seem to be prioritizing other emerging technologies like cloud computing, AI integration, and even quantum computing over IoT device security.

This clash in priorities leaves a glaring gap in cybersecurity defenses at a time when IoT device proliferation within enterprises shows no signs of slowing down.

Reacting to this seeming lack of synergy between networking and security teams, Tony Lauro, Director of Security, Technology & Strategy at Akamai, told Techopedia that addressing both current security needs and preparing for emerging threats is a delicate balancing act.

He said:

“Both networking and security teams have a big job on their hands. They consistently have to change goalposts in terms of priorities, depending on what newsworthy event has garnered the attention of senior management and investors.”

However, Lauro emphasizes that foundational security should remain the top priority for most organizations.

“The age-old concept of taking care of the basics will usually trump any sort of emerging threat conversations,” he states. With teams often understaffed and overworked, securing existing systems like IoT environments is crucial.

“Focusing on securing those systems should be the main focus on security and networking teams, respectively,” Lauro advises.

For Jacob Kalvo, Co-Founder and CEO at Live Proxies, the priorities of networking and security teams don’t always align when it comes to IoT security.

“While emerging technologies like generative AI, quantum computing, and cloud computing are undoubtedly important, they should not overshadow the critical need to secure corporate IoT devices,” Kalvo told Techopedia in a chat.

He further warns that the lack of cohesion and unified prioritization between those responsible for network operations and cybersecurity can create dangerous blind spots.

When IoT Systems Are Breached, Companies Pay Through the Nose

As companies double down on digital transformation initiatives by deploying more internet-connected devices, security incidents involving IoT devices often translate into higher breach costs compared to conventional cyberattacks.

Forrester’s report reveals that companies that suffered breaches involving compromised IoT devices faced cumulative costs between $5 million and $10 million.

In contrast, those without IoT devices targeted typically experienced lower breach costs. This difference exposes IoT as a critical risk factor that can severely inflate an organization’s cyber incident financial burden.

The above is in line with the opinion of Thomas Pace, CEO and Co-Founder at NetRise, who blamed the situation on difficulties inherent in detecting IoT vulnerabilities at scale.

He told Techopedia:

“Detecting and responding to security incidents related to IoT devices is incredibly difficult, the industry does not possess the analysis and telemetry at scale as it does for traditional endpoint security solutions.”

This lack of robust monitoring and analytics capabilities allows attackers to fly under the radar after compromising IoT systems.

“Attackers are able to remain stealthy and hidden once they compromise IoT devices which increases dwell time. This therefore increases remediation costs after the fact because it is much more difficult to ascertain what other actions on target may have been conducted,” Pace explains.

Botnets Revive Assaults on IoT Devices of Hybrid Workers

Another troubling IoT security finding shows that Distributed Denial of Service (DDoS) attack DDoS botnets are making a resurgence and may increasingly target hybrid workers as an entry point to infiltrate corporate networks.

Pace of NetRise believes this tactic makes sense given the security gaps around remote workers.

“Hybrid workers are using SOHO routers and network devices that are significantly less secure than enterprise-grade network devices,” Pace explains.

“In addition, when you have a centralized corporate network, it is easier to scrub the network traffic from a DDoS perspective vs. doing this for a distributed workforce.”

He suggests a potential solution could be for all hybrid workers to use a VPN to connect to their corporate network to centralize their network traffic and activity.

“A potential solution here is for all hybrid workers to VPN into their corporate network to centralize their network traffic and activity. The downside of this is that attackers will likely catch on and then target those VPN concentrator endpoints, but this should reduce the DDoS attacks to some extent.”

An alternative, according to Pace, would be to provide remote staff with more robust, corporate-managed networking devices that could improve security postures.

He said: “You could also provide a hybrid workforce with more advanced network devices to connect in that are managed by the corporation, but this is expensive and increases overhead.”

Strategies to Remedy the IoT Security Issues

According to Lauro of Akamai, improving control and visibility over communications between IoT devices is critical and is a way in which organizations can remedy the IoT security situation.

He told Techopedia:

“Having the ability to control how devices within your organization talk to each other is of great importance. Typically when an attacker gets into your network, they will look around and see what they can already talk to from the device they have hijacked.”

Since many internal systems need to communicate for business operations, limiting unnecessary connections is key.

He adds:

“Being able to identify and shrink the attack surface of these internal systems and the services they run and how they communicate with each other is something that many organizations just don’t have a good handle on at the moment.”

Addressing IoT security gaps begins with increasing visibility, according to Pace. “We must begin with visibility from both an outside-in and inside-out perspective.”

For outside-in visibility, Pace recommends technologies like device identification, network security monitoring, and asset management tools to understand where IoT devices are, what they are, and what they are doing from a network perspective.

Complementing this is an inside-out analysis of the embedded systems.

He said: “You can analyze the operating systems, firmware, and software that make up these devices to understand the risk of their components

“A key artifact is a Software Bill of Materials (SBOM). This allows visibility into what exists on devices, so if a component is compromised or a new vulnerability emerges, you can rapidly determine if it is impacted.”

Improving external network monitoring combined with internal embedded system analysis provides crucial IoT visibility. “If one of these components is compromised or a new vulnerability comes out, you can rapidly respond and determine if you are affected,” Pace explains.

The Bottom Line

While IoT brings immense business benefits, it also introduces significant security risks that organizations must prioritize. As the experts pointed out, a multi-layered approach is crucial.

Establishing comprehensive visibility into IoT devices, their components, connections, and activities lays the foundation as you can only protect what you can see. So, leveraging tools for external network monitoring and internal software analysis can illuminate blind spots.

With this awareness, organizations can then implement granular controls over device communications to limit unnecessary connections and communications, thereby cutting down the attack surfaces.

Related Terms

Related Article