IoT-Related Cyber-Attacks Leave Most Organizations Vulnerable
by Robert Bond
The Irdeto Survey of 700 security decision makers found that 80% of organizations’ IoT devices that they manufacture, or use had experienced a cyberattack in the past year.
Digital Transformation Includes Adding IoT Devices
Digital transformation and subsequently business transformation have become foundational buzzwords in executive presentations concerning the future of doing business. Smart cities, smart manufacturing and smart industries across all industries are the product of smart devices communicating with one another to create seamless, interconnected systems. These systems rely on devices that communicate with one another to make the organization more effective and efficient concerning how it delivers value to its customers.
Business executives across the globe discuss digital transformation in glowing terms; although very differently from one industry and one company to another. The customer value and productivity improvements from the increased use of technology throughout an organization’s ecosystem are almost immeasurable from the perspective of many executives. However, when you unpack the term “digital” it certainly means different things to different people.
The 17% in Growth of IoT Devices Will Increase Cyber Attacks
Digital can mean a move to the cloud, utilizing new software, leveraging data analytics and using dozens of other technologies. There is no doubt that in one aspect or other businesses are embracing the digital transformation. IDC forecasts that worldwide spending on technologies that facilitate digital transformation will reach $1.97 trillion in 2022. In addition, IDC predicts that digital transformation spending will grow substantially through the next half-decade, achieving a five-year compound annual growth rate of 16.7 percent between 2017 and 2022.
The foundation of the much of this new industrial revolution or Industry 4.0 as it is often called, is the growth of IoT devices. Currently, 7 billion IoT devices are in use worldwide, by 2025 that number is expected to grow to over 20 billion. These devices, just like any connected device like a laptop or server expand the attack surface of the organization. In other words, they present a new vulnerabilities for attackers to exploit.
Irdeto’s Survey Says 80% of Organizations Had IoT-Related Attack
Irdeto’s survey, conducted by Vanson Bourne involved 700 security decision makers across diverse industries as well as the manufactures of the devices themselves. The data was collected just 3 months ago from China, Germany, Japan, the UK and the U.S.
Eighty percent of the organizations in the survey experienced an attack against one of more of their IoT devices in the past year. Perhaps surprisingly, in the UK, 86% had experienced attacks while Japan had only 60%. In addition, of the 80% that experienced an attack, 90% were impacted in some way or another as a result of the cyberattack.
The impact was described as operational downtime, compromised customer data, end-user safety, brand or reputational damage, a loss of customers or stolen intellectual property. Finally, similar to the respected Ponemon Study damage measurement, the survey also found that the average financial impact as a result of an IoT-focused cyberattack was $330,602.
The Mirai-Related Attacks Were Just the Start
Many in the IT security profession predicted this wave of attacks as an increasing number of IoT devices were put online. In the wake of the Mirai cyber-attacks in 2016 which affected countless devices and victims by enslaving IoT devices like security cameras, DVRs and routers to launch DDoS or distributed denial of service attacks against websites like Krebs on Security, GitHub, Twitter, Reddit, Netflix, and Airbnb as well as many others, security leaders understood IoT devices turned botnet was just one problem.
The survey suggests that 83% of those surveyed are concerned about their IoT systems suffering a future cyber-attack including 32% being “very” concerned. In addition, there is very little confidence in the current device security. Over 33% of user organizations believe that device security could be improved significantly. Among the IoT manufacturers themselves, confidence in device security is surprisingly low; 41% percent of the IoT device manufacturers feel their own device security could be improved.
The survey found that only 17% of IoT devices used or manufactured by large enterprises have NOT experienced a cyberattack in the past year. Healthcare companies led the way (82%), followed by manufacturing (79%) and connected transport (77%) were the most targeted by attacks. Worth noting again, Japan is the only country where IoT devices do not seem to be such a significant target for cyberattacks.
IoT devices are usually exploited by attackers through unpatched software or weak or default passwords on the devices themselves. Since Mirai three years ago, there has been a steady growth of IoT threats with five main attack families emerging in 2017 and double that recorded in 2018, including VPNFilter – an IoT threat that appears to have been sponsored by a nationstate.
The main security issue with IoT devices is that the majority of device vendors license software development kits for the chipsets they use in their smart cameras, smart appliances, and other IoT devices. Thus, they pass on the security responsibility to their vendors rather than manufacturing and testing the IoT device as a system.
The Cost of an IoT-Related Attack is Likely to Grow
As suggested, the average cost of an IoT security incident has been relatively low in as compared to Ponemon’s average cost of a breach of $3.86 million versus $330,602 quoted in the Irdeto survey. However, Irdeto suggests that “It is possible that these organizations may not be taking into account all of the costs associated with a cyberattack, including lost business, costs to correct any vulnerabilities that led to the attack” and other peripheral costs of an attack.
Irdeto further states “it is also possible that with IoT proliferation in these industries being in its relative infancy, the current cost of cyberattacks on these devices is not as catastrophic as in other parts of the business. However, if this is the case, the costs will surely skyrocket as IoT devices become more abundant and connectivity continues to increase throughout the business.”
Ultimately as the digital transformation progresses, the attack surface for organizations increase and the malware strains and attacks proliferate the number of attacks and damage will likely increase. One of the more promising takeaways of the survey is that 99% of the respondents agree that a security solution should be an enabler of new business models, and not just a cost. It would have been very interesting to have understood the 1% of respondents who took the other side of the “cost” question.
SecureOps is deeply committed to helping organizations handle the digital transformation as they bring in and integrate IoT and other new technologies. Penetration testing, vulnerability assessments, security posture assessments are all services that move the security maturity of organizations forward so that they can progressively eliminate gaps in security that new technology causes.
June 23, 2020
June 16, 2020