Eight in ten organizations have experienced a cyberattack on their IoT devices in the past 12 months, according to new research by Irdeto. Of those organizations, 90% experienced an impact as a result of the cyberattack, including operational downtime and compromised customer data or end-user safety. This demonstrates the security limitations of many IoT devices and the need for organizations to think carefully about a cybersecurity strategy amidst an IoT deployment.
The impact of IoT cyberattacks
The Irdeto Global Connected Industries Cybersecurity Survey of 700 enterprises in five countries (China, Germany, Japan, UK and US) also found that organizations in transport, manufacturing and healthcare have suffered substantial losses due to IoT-related vulnerabilities, with the average financial impact as a result of an IoT-focused cyberattack identified as more than $330,000.
With IoT in its relative infancy across these sectors, this substantial financial burden is only going to increase if action is not taken. However, it’s not all gloom and doom for these sectors. Of those surveyed, 99% agree that a security solution should be an enabler of new business models, not just a cost. These findings suggest that the previous mindset of IoT security as an afterthought is changing.
“One of the most promising results of the study found that today’s organizations in technology, transport, manufacturing and healthcare are thinking even more strategically about security,” said Steeve Huin, Vice President of Strategic Partnerships, Business Development and Marketing, Irdeto. “This is a clear indication that today’s businesses realize the value add that security can bring to their organization. From enabling new rental or subscription models in connected vehicles, to Digital Twins revolutionizing the manufacturing processes, to providing patients with even better healthcare, security is the enabler to successfully implementing new and future business models in today’s connected world.”
The future security of IoT devices
While the security mindset may be changing, the research also suggests a distinct lack of optimism about the future security of IoT devices within these organizations. Only 7% of respondents stated that their organization has everything it needs to tackle cybersecurity challenges.
46% stated they need additional expertise/skills within the organization to address all aspects of cybersecurity. This was followed closely by more effective cybersecurity tools and the implementation of a more robust cybersecurity strategy at 43% each.
Perhaps even more alarming, 82% of organizations that manufacture IoT devices are concerned that the devices they develop are not adequately secured from a cyberattack. Further, a total of 93% of manufacturers and 96% of users of IoT devices stated that the cybersecurity of the IoT devices that they manufacture or use could be improved either to a great extent or to some extent.
In the UK, Germany and China, 100% of IoT device users believe that the cybersecurity of the devices they use could be improved either to a great extent or to some extent – an alarming finding, considering that these devices are proliferating rapidly throughout these organizations.
“The benefits brought to a wide range of industries by connectivity and the Internet of Things are not in doubt. However, greater connectivity opens organizations and their customers up to a myriad of additional vulnerabilities that must be considered from the outset,” said Jaco Du Plooy, Vice President of IoT Security, Irdeto. “If you want to take advantage of the benefits of connected devices or software, you need to choose wisely where to spend your time and budget. Organizations must understand the scope of their current risk, ask hard cybersecurity-centric questions to vendors and work with trusted advisors to safely embrace connectivity in their manufacturing process. Then organizations must incorporate multiple layers of security into their defenses.”
Security measures in place
With IoT-focused cyberattacks becoming more and more common, organizations rightly have several security measures in place. However, the study found that more than one-in-four organizations (26%) do not have software protection technologies implemented into their business.
In addition, fewer organizations have mobile app protection (52%) implemented and even fewer still make security a part of the product design lifecycle process (49%). The study also found that only just over half of the organizations surveyed (53%) conduct continuous security and/or code reviews.
However, while it’s clear that many organizations may not have the most robust cybersecurity strategy in place, most are planning on adding to their cybersecurity portfolio in the next year. Of the businesses surveyed, 18% plan on adding software protection in the next year, while 29% plan on adding mobile app protection, 30% plan on making security part of the product design lifecycle and 29% plan on implementing continuous security and/or code reviews in the next year.