Rising risks from accelerated use of unchecked IoT in enterprise

By February 26, 2024 May 7th, 2024 News

Enterprises continue to embrace IoT strategies to streamline operations, boost efficiency, and improve customer experiences. From hospitals to manufacturers to public sector agencies, IoT device fleets are critical for meeting these modernization goals.

However, the acceleration in connected device deployment opens new windows for cybercriminals and exposes networks to potential breaches.

Kenan Frager, VP of Marketing at Asimily, warns that vulnerable IoT devices continue to be a glaring cybersecurity weak spot for many enterprises. He opines that businesses are lured by the benefits the devices offer but do not take the necessary effort to check if such technologies are sufficiently secure.

“Regardless of industry, an attack on IoT infrastructure can and will result in operational downtime, loss of IP, loss of revenue, and reputational harm.” – Kenan Frager

He notes that regulatory compliance adds another layer of pressure, with steep fines and sanctions looming for breaches that affect HIPAA, PCI DSS, NIST, SOC 2, and other increasingly stringent mandates.

Report findings

Breach tactics continue evolving: Cybercriminals seeking confidential proprietary data to sell for financial gain look for and infiltrate vulnerable and often-unsecured IoT devices to establish initial access to an enterprise’s network.

That tactic supports ransomware attacks as well, with criminals gaining access via IoT endpoints, encrypting data, and extorting ransoms. In other cases, nation-state-sponsored groups are motivated to shut down or disrupt the services of their targets.

A common tactic is harvesting vast fleets of vulnerable IoT devices to create botnets and utilize them to conduct DDoS attacks. Attackers also know they can rely on unresolved legacy vulnerabilities, as 34 of the 39 most-used IoT exploits have been present in devices for at least three years.

Routers are the most targeted IoT devices, accounting for 75% of all IoT infections. Hackers exploit routers as a stepping stone to access other connected devices within a network. Security cameras and IP cameras are the second most targeted devices, making up 15% of all attacks.

Other commonly targeted devices include digital signage, media players, digital video recorders, printers, and smart lighting. The Asimily report, IoT Device Security in 2024: The High Cost of Doing Nothing also highlights the especially consequential risks associated with specialised industry equipment, including devices critical to patient care in healthcare (including blood glucose monitors and pacemakers), real-time monitoring devices in manufacturing, and water quality sensors in municipalities.

Cyber insurers are capping payouts. Cybersecurity insurance is becoming more expensive and difficult to obtain as cyberattacks become more common. More insurers are now requiring businesses to have strong IoT security and risk management in place to qualify for coverage—and increasingly denying or capping coverage for those that do not meet certain thresholds.

Among the reasons why cyber insurers deny coverage, a lack of security protocols is the most common, at 43%. Not following compliance procedures accounts for 33% of coverage denials. Even if insured, though, reputational damage remains a risk: 80% of a business’s customers will defect if they do not believe their data is secure.

Manufacturing is now the top target: Cybercriminals are increasingly focusing their attention on the manufacturing, finance, and energy industries. Retail, education, healthcare, and government organizations remain popular targets, while media and transportation have been de-emphasized over the past couple of years.

“There’s a clear and urgent need for more businesses to prioritise a more thorough risk management strategy capable of handling the unique challenges of the IoT,” said Shankar Somasundaram, CEO, Asimily.

“While organisations often struggle with the sheer volume of vulnerabilities in their IoT device fleets, crafting effective risk KPIs and deploying tools to gain visibility into device behaviour empowers them to prioritise and apply targeted fixes.” – Shankar Somasundaram

He added that this approach, coupled with a deeper understanding of attacker behaviour, enables teams to distinguish between immediate threats, manageable risks, and non-existent dangers.

“The right strategy equips organizations to focus efforts where they matter most, maximising their resources while ensuring the security of their IoT ecosystem at scale,” he concluded.