Who is better prepared for IoT-related attacks, SMEs or large organizations?

Small and midsized organizations (SMEs) are taking more steps to protect themselves from security risks associated with the Internet of Things (IoT) than large businesses, according to Pwnie Express. Small businesses are more likely to close the IoT security gap and better protect mission critical systems and business operations.

prepare IoT-related attacks

“It’s a bit counterintuitive, because large companies have the finances and the people to secure their connected devices and critical infrastructure, but smaller operations are doing more with less,” said Pwnie Express CEO Paul Paget. “That said, it is clear that the introduction of IoT into the enterprise is challenging the status quo of IT security across the board.”

Especially troubling was the fact that 41 percent of IT security professionals at companies with more than 1,000 employees did not know what types of attacks (i.e., ransomware, malware, man-in-the-middle attacks) had hit their IoT devices in the last year. Only 25 percent of IT security pros at SMEs were unaware of attacks – a number that is still too high, but much better than the results from the larger companies.

Organizations with fewer than 1,000 employees

Respondents from organizations with fewer than 1,000 employees were also more likely to:

  • Know how many devices are connected to their networks (62 percent for SMEs compared to 47 percent for larger enterprises) and how many connected devices are owned by employees (39 percent at SMEs versus 25 percent at larger organizations).
  • Check wireless devices for malicious infections in the last month (64 percent of SMEs had checked, while 55 of the IT security professionals at larger organizations had done the same).
  • Have checked wireless devices employees bring into the office in the last month (33 percent of the IT security professionals at SMEs had, while just 20 percent of the employees at large organizations made the same checks).

Large enterprises

All was not lost for large enterprises, however. Larger enterprises were more likely to:

  • Enact their own BYOD policies (41 percent, compared to 25 percent of SMEs).
  • Detect connected device threats (68 percent of the IT security professionals with large companies said they felt prepared, while 60 percent at the SMEs said the same thing).
  • Respond to connected device threats (73 percent of large organizations said they felt ready to respond to threats. At SMEs, 60 percent of respondents said they felt the same way).

“It’s one thing to say you are ready, but we believe you can’t really be ready if you don’t know what connected devices are coming into your office,” Paget said. “The research shows enterprises have a lot of work to do. Large organizations would benefit from thinking more like the SMEs we saw in our research – knowing what is connected to their networks, regularly assessing the devices in their environment, and being ready to respond to IoT threats coming their way.”

Additionally, researchers suggested large organizations:

  • Recognize the risk new IoT based business systems — HVAC, TVs, printers, even some kitchen appliances—introduce risk alongside their business optimization. The people who buy products for organizations need to know what to look for before they bring devices into the building and IT security pros need to know what to look for once new devices are there.
  • Deploy new technologies to monitor device threats.
  • Ensure security measures in use can assess threats and offer guidance on what devices need immediate concern.