IoT security demands globally connected threat insights

The Internet of Things (IoT) is growing at an astounding pace globally, as individuals and organisations seek to make more sense of the world through a plethora of connected devices and sensors. According to analyst firm Gartner, the number of connected “things” is predicted to hit 14.2 billion in 2019 and grow to 25 billion by 2021.

Despite the global proliferation of IoT, the security measures in place to protect this new category of Internet-enabled devices are sorely lacking. According to our latest IBM X-Force Security report, there has been a 5,400% increase in the number of IoT vulnerabilities recorded between 2013 and  2018. 

We now see security flaws in IoT devices leaving us vulnerable to gigantic botnets of commandeered IoT devices. Moreover, the default credentials and passwords that IoT devices typically ship with are often weak or non-existent, which makes the work of cyber criminals much easier. They only need to search for the devices through automated software, gain access via default credentials or an unpatched vulnerability, and they’ve added another device to their growing botnet. 

IoT devices offer the perfect avenue to reduce the cost of launching and maintaining Distributed Denial of Service (DDoS) attacks while contributing to their gargantuan size. The Mirai botnet in 2016 caused widespread internet disruption and was the first major wakeup call to the industry around the need for IoT security. Since then, these botnets have only become bigger and more deadly, so the entire sector needs to start thinking more carefully about the way we deploy and secure IoT devices.

The other major problem is the general lack of visibility that organisations have over these fast-growing networks of IoT devices. One of the reasons we saw IoT become one of the biggest attack vectors of 2018 was its general invisibility within the network. According to Gemalto research, 48% of businesses are still unable to detect all of the devices on their network. In an era of new regulations and rising customer expectations, this is an unsustainable situation.

Connected threats require collaborative insights

Unless something is done to improve the security capabilities of devices as well as their all around visibility, security experts are predicting even more attacks against IoT networks and infrastructure in the coming years. But no one organisation has the internal capability to develop a solution to IoT security on its own – this is a situation that requires deep and committed collaboration between developers, vendors, and organisations that define the standards around IoT devices.

The first step in this collaboration is building awareness across the industry of the evolving nature of threats, which is part of our mission at IBM Security. IoT security awareness training needs to become an integral part of IoT deployments for every organisation, from developers to purchasers. The biggest strengths and vulnerabilities of security will always be your people, so the more aware they are of the shortcomings of IoT device security and IoT network visibility, the more cognisant they will be of finding solutions to new and unseen threats.

The next step depends on the establishing of security throughout the IoT development life cycle, while also investing in next-generation device protection solutions. Regulations will see this become more of an impetus, as we’ve already seen governments such as California implementing laws against devices being shipped with default passwords. With the need to know exactly where data resides and how a breach has occurred for regulatory reporting, the visibility into IoT networks will become a more widespread driver of security discussions.

To take advantage of the incredible benefits that IoT offers to our enterprises and our society, we need to begin opening up the security conversation across every level of the industry. With so much at stake, we cannot rely for regulations and compliance to drive greater IoT security. Collaborative innovation and insights will be essential if we want to protect our vast and growing network of IoT devices.

About the author:

As the CTO of IBM Security in Australia and New Zealand, I lead a client strategy that focuses on risk, threat management, and digital trust. If you would like to discuss how your organisation can develop the advanced cyber resiliency capabilities to detect and neutralise external and internal threats across your organisation, please feel free to contact me.