The Internet of Things (IoT) is maturing, with IoT devices becoming increasingly common across all industries, and the widespread implementation of 5G Ultra Wideband networks is only set to further fuel IoT growth. In fact, the global IoT market is expected to reach over $1.3 trillion by 2026 according to Verified Market Research, representing a compound annual growth rate of 25.68% from $212 billion in 2018.
Yet, even as the number of connected devices skyrockets, many organizations may be failing to adequately secure them. IoT security is all too often overlooked when it comes to enterprise security architectures, and it can have costly repercussions.
Don't let IoT device security fall to the bottom of your security to-do list. If you need convincing, take a look at the following statistics that illustrate the rising risk surrounding IoT. You can follow the outlined steps to better secure your IoT environment.
IoT security risks are rising
The Verizon Mobile Security Index 2021 took a special look at IoT by identifying a subset of respondents who were responsible for buying, managing and securing IoT devices and giving them a customized question set. It found that the challenges seen in mobile were mirrored in the IoT environment.
For example, 31% of IoT respondents admitted to having suffered a compromise involving an IoT device. As with mobile compromises, cutting corners on security was partially to blame: 41% of respondents admitted to sacrificing IoT security to "get the job done."
When individuals bypass best practices, there are consequences. In fact, Verizon found that organizations were 1.7 times as likely to experience a compromise involving an IoT device when employees ignored IoT security guidelines. It just goes to show that even if you create robust security policies, you need to follow through with user education and enforcement of the rules to better protect the IoT network.
Take a closer look at what can happen as a result of all this rising risk: Of all respondents who suffered a compromise, 66% called the impact "major," and for many, recovery was difficult and costly—59% suffered downtime, 56% lost data and 29% faced regulatory penalties. If you think your organization is likely safe due to size or industry, think again. Security breaches impact businesses of all sizes and across all industries.
6 steps to better IoT security
If you don't currently have a robust IoT device security plan in place, or are planning to incorporate IoT devices into your IT infrastructure, here are some useful steps you can follow for better, more comprehensive security:
- Review IoT device security before you buy. This will take a little research on your part, but it is a necessary step to weed out devices with weak built-in protections. Before buying a device, ask for any security reports provided by the vendor and review security claims to determine their validity. If you find any noted potential vulnerabilities, do some digging online to measure the danger and see if you can discover a fix. This goes for all connected devices—even those that may seem ancillary to your daily operations. Case in point: Hackers have gone as far as hacking gas pumps with programmable logic controllers, like those often used in factories and other industrial environments to manage equipment. No device is safe.
- Harden all IoT devices. You should take a multi-pronged approach to device security that includes securing vulnerabilities, such as transmission control protocol (TCP)/user datagram protocol (UDP) ports, open password prompts, places to insert code and even radio connections. Doing so will boost your overall device security posture and decrease risk. In addition, once devices are in use, change the passwords to complex passwords that are difficult to replicate. This can help reduce the risk of a breach.
- Stay up to date on IoT security patches. It may feel tempting to delay patches or updates, but doing so can vastly increase risk if they fix or close known vulnerabilities. To ensure your devices are always up to date, create a schedule for regularly updating security patches for IoT devices. Regularly check for firmware updates, and change default passwords. Many vendors don't create patchable devices from the start, which is why the aforementioned step of researching devices before you buy is critical.
- Restrict device access. You should always establish a list of who is allowed to access devices and for what reasons, especially for IoT devices. Keep it as current—and as small—as possible to limit risk and make it easier to spot nefarious behavior. You should also review which of your organization's contractors or partners are allowed to access devices and cull this list often to reduce the risk of third-party breaches.
- Secure your networks. Take advantage of strong user authentication protocols, so only authorized users have access to your networks. Users may complain about the inconvenience, but it's worth the effort to make it harder for external users to break through the extra layers of authentication. Context-aware authentication is especially useful with IoT applications, providing an added element of security. Network-layer and transport-layer encryption are also best practices for decreasing risk.
- Encrypt user and application data. IoT devices are often transmitting private, personal data. Encrypting this information in transit and at rest should be a major priority, as it will help in protecting the data from malicious actors if they manage to breach your network or its connected devices. Without encryption in place, your organization could face not only data loss of critical or sensitive information but penalties and reputational damage, as well.
IoT opens up a world of possibilities for your business—and for bad actors. Given the level of financial and brand damage that a security breach can bring, it's critical to incorporate IoT devices—including mobile ones—into your overall security architecture. Otherwise, you stand to lose more than you gain from your IoT deployment.
Are you worried about the state of IoT security in your organization? Find out what threats you might be missing with Verizon's Mobile Security Assessment.