Surveys play an important role in setting strategy and choosing how to address a difficult situation. Organizations today are urgently in need of addressing their IoT security situation; it’s the fastest growing part of the attack surface overall and the one security area most likely to be made worse by cyber threats driven by AI (a topic for another blog!). Yet there hasn’t been up until now much in the way of survey data from large organizations about how they are approaching IoT security, the priority they give it, and what they would do differently to be more successful at it.
That’s why Viakoo worked with an independent survey organization to conduct an independent assessment of IoT security. The research was conducted in Q4 last year with 150 IT leaders from large organizations in North America (>1000 employees), providing a snapshot of current issues and best practices to address them. I’d encourage you to download the eBook we put together (2024 IoT Security Crisis: By The Numbers).
Here’s the three finds that stood out to me most:
- 83% of IT leaders agree their attack surface grew one application at a time, and should be remediated one application at a time: Enterprise IoT is defined by having a tightly-coupled systems of IoT devices and IoT applications; that IT leaders recognize this shows they are on the right path towards improving IoT security.
- 22% of organizations have had a serious or business-disrupting IoT security incident in the past 12 months: IoT attacks are rising, and because the role IoT devices and IoT applications play in maintaining business continuity that means these attacks will increasingly disrupt business operations.
- 71% of IT leaders wish they had started their IoT security efforts differently in order to get to remediation faster: This shows that learning from mistakes is happening, which is crucial to getting more quickly to remediation. More specifically, this highlights the missing piece of using application-based IoT discovery. By using network-based discovery alone organizations have found it take an unacceptable amount of time to finally get to remediation.
The most important goal of this survey was to shine light on where there may be missing pieces in current IoT security strategies, and where there are areas for improvement. On that topic the data was clear: Current approaches to IoT discovery are not working. Only 35% of IT leaders felt they were successful in using network-based asset discovery for addressing their IoT vulnerabilities. This makes sense, because network-based asset discovery is great for getting a high-level view of IoT devices but lacks accuracy (it’s based on inference) and misses the critical relationships between IoT applications, devices, and ports. Getting lost in an ocean of incomplete data (the result of network-based asset discovery) only makes the journey to remediation longer and more difficult.
Finally, there is a whole lot of optimism that IoT security is poised to deliver tangible risk-reduction benefits to organizations. The investments in IoT security continue to rise, the visibility is at the Board level, and the pitfalls of current approaches (like network-based discovery) are understood and being addressed. And unlike just a few years ago there are more options to take action – through managed services, through IoT-specific security solutions, and through a more closely connected ecosystem of cybersecurity offerings. Ready to take action? It’s never been a better time according to our survey.