According to a survey conducted by the Internet of Things (IoT) security company Pwnie Express, an overwhelming number of IT security professionals (85%) see a cyberattack on critical infrastructure happening in the next five years. Pwnie Express CEO Todd DeSisto says that figure is perhaps the scariest number the company has seen in the four years they have been conducting the "Internet of Evil Things" research.
IoT or internet of things devices are physical devices with internet connectivity such as smart meters, connected cars, connected medical devices, etc.
DeSisto says, "These devices pose additional layers of complexity and environmental exposure that traditional IT security measures are insufficient to handle. Our survey shows that security professionals are clearly anxious about this."
There were other troubling findings from the more than 500 IT Security Pros who responded to Pwnie's questions, including:
- As compared to a year ago, 64 percent of respondents are more concerned about connected device threats, with IoT devices at the top of the list. Yet, slightly fewer are checking their wireless devices than last year. And one in three reports their organizations are unprepared to detect connected device threats.
- 60 percent of organizations suffered a malware attack in 2017; 1 in 3 experienced a ransomware attack.
- Employee-owned devices (otherwise known as "BYOD") are a concern for 80 percent of our respondents, yet fewer than 50 percent can monitor BYOD in real time.
- Most organizations need to update their security policy to include IoT devices. Pwnie found two times the respondents had an IT security policy than an IoT policy. Furthermore, less than 50 percent of security professionals are involved in the purchasing approval process in three vulnerable categories – Building OT/IoT, Industrial IoT, and Consumer IoT.
The professionals provided more surprising revelations:
- 49 percent are concerned about consumer IoT devices like smart watches, smart coffeemakers, and the like while only 23 percent can monitor for these types of devices.
- 51 percent are concerned with malicious or purpose-built rogue devices, but only 24 percent can monitor for them in real time.
- It seems counterintuitive, but small-to-medium-sized organizations (SMOs) are more vigilant than larger enterprises. Just 49 percent of organizations with more than 1,000 employees know how many devices are connected to their networks as compared to 70 percent of SMOs.
"IoT has exponentially expanded the attack surface that organizations must identify, assess, and respond to," DeSisto says. "Putting numbers on some of these issues will help CISOs clarify just how bad the security situation really is."
To address the growing threat, Pwnie suggests the following:
- Recognize that poor cybersecurity threatens your organization's brand. An overwhelming number of security pros said the biggest impact of cyberattack on their organization would be "negative brand perception." More than a third of respondents said brand perception was their biggest fear, no other option got above 20 percent.
- Involve security professionals in purchasing decisions for all connected devices.
- Update security policy to include IoT devices.