How the Internet of Things impacts enterprise security
A new study conducted by Atomik Research examined the impact that emerging security threats connected with the Internet of Things (IoT) have on enterprise security. Study respondents included 404 IT professionals and 302 executives from retail, energy and financial services organizations in the U.S. and U.K.
Key findings:
- Employed consumers working from home have an average of 11 IoT devices on their home networks, and nearly one in four employed consumers (24 percent) have already connected at least one of these devices to their enterprise networks.
- 63 percent of executives expect that business efficiencies and productivity will force them to adopt IoT devices despite the security risks; however, only 46 percent say the risks associated with IoT have the potential to become the most significant risk on their networks.
- Only 8 percent of energy IT professionals are concerned about cybercriminals attacking industrial controllers, but 88 percent are not confident in the secure configuration of industrial controllers.
- Less than one in four IT professionals are confident in the secure configuration of common IoT devices that are already on enterprise networks: Voice over Internet Protocol (VoIP) phones (21 percent), sensors for physical security (20 percent), smart controllers for lights and HVAC (16 percent), point-of-sale devices (18 percent) and industrial controllers (12 percent).
Research firm IDC anticipates there will be approximately 30 billion IoT devices installed by 2020, up from an estimated nine billion today. These devices are expected to deliver an overall global economic value add of $1.9 trillion, of which 80 percent will be derived from services. While the IoT marketplace is lucrative, new devices will open additional attack vectors for enterprise networks.
Chris Conacher, security development manager at Tripwire, commented: “The reason many enterprises are relatively “unconcerned’ about the security of IoT devices is because they misunderstand the risk. They may believe they have “solved’ the security problem, when they have not. Alternatively, they may believe that there is no security problem when there is. Frequently, organizations believe that they have nothing of value that would interest an attacker – this is rarely true. For attackers there is always something to be gained, and they’re not always looking for data that has financial value. From the theft of information or services that can be used to add a veneer of legitimacy to phishing campaigns or user credentials that can be used to gain access to a connection point from which to attack corporate partners, there is always something of value.”