Does it sound strange that many organisations believe they are exposed to major problems with Internet of Things device security, yet few of them have taken any measures to resolve those problems?
IoT devices are increasingly part of business life, as businesses use them for the remote monitoring and control of industrial machines and systems, or they fall into the BYOD zone, where personal and professional data may coexist (for example, Apple Watches and other wearables).
A recent survey by Ponemon Institute showed how much of a problem there could be.
According to the survey results of over 500 IT and IT security practitioners:
- 75% said that IoT applications increased security risks significantly or very significantly
- 59% were concerned that their organisation would be attacked via an IoT app that the organisation used for its IoT devices
- 44% declared that their organisation was taking no action to improve IoT security.
- 75% said that application development teams were responsible for vulnerabilities left in IoT application code
- 65% added that insufficient security policies compounded the IoT device security problem
- 58% admitted that they only considered security once an IoT app had been released
- 29% declared that IoT and mobile apps received any sort of testing for vulnerabilities (i.e. 71% admitted that no such testing was done).
If you read these statistics in reverse, you can see a blueprint for fixing the problem:
- Define a suitable test policy and plan
- Test before app production release (and afterwards, as new threats surface)
- Give app development teams the tools and resources to test, or bring testing under the wing of the CISO (Chief Information Security Officer) or equivalent
Testing methods and tools may need to be revised, particularly if IoT apps are being produced in an Agile or DevOps environment that requires rapid test cycles.
However, the real challenge may be for organisations to overcome their current paralysis and fix the problem instead of just staring at it.