This, according to a survey by consulting firm Altman Vilandrie & Company, which said the cost of the breaches represented 13.4 percent of the total revenues for companies with revenues under $5 million annually and tens of millions of dollars for the largest firms. Nearly half of firms with annual revenues above $2 billon estimated the potential cost of one IoT breach at more than $20 million.
The survey found that while 68 percent of respondents think about IoT security as a distinct category, only 43 percent have a standalone budget.
“In other words, their decision-making process hasn’t really caught up with this new need,” said Stefan Bewley, Altman Vilandrie & Company director, who co-directed the survey. “You could speculate that’s not just in the budget but in how they think about securing IoT. There are some unique challenges to this that are not just like anther cell phone on your network.”
In addition to the sheer volume of IoT devices, which can present a security challenge, sometimes these devices aren’t easy to update, Bewley said. “If you want to put a new security patch on your computer, that can be a very easy process. But putting a new layer of security on an IoT endpoint can be challenging. IT might not be easy to physically access it, or they might not have the processing power to deploy it remotely.”
So how can companies ensure their IoT devices and networks remain secure?
“What we’re seeing is the need for this end-to-end security, and it always begins with the risk assessment,” said IDC analyst Robert Westervelt. “What we’ve been advocating is a threat-modeling approach.”
Microsoft, for example, says IoT security starts with a threat model, which it says enables developers to understand potential threats and then add the needed defenses. “Threat modeling forces the design team to consider mitigations as the system is designed rather than after a system is deployed,” the company writes in an IoT security architecture document. “This fact is critically important, because retrofitting security defenses to a myriad of devices in the field is infeasible, error prone and will leave customers at risk.”
Visibility Is Key
Portnox CEO Ofer Amitai often posts blogs about IoT security best practices. The company’s security product helps manage IoT security by monitoring all endpoints in a network.
Amitai says IoT security starts with visibility. The assumption here is that you can’t control what you can’t see. “Most organizations don’t have enough visibility in their IoT devices that are connected to their network,” Amitai said.
Once you have 100 percent visibility, then put the IoT devices into different segments.
“The vendor is not issuing patches fast enough, so you end up with devices placed to draw all the malwares and other bad things onto your network. The most important thing to do is just put them in a different segment, away from your crown jewels.”
And finally, monitor the behavior of the devices, using some type of risk management system. “If you notice any change in those devices, then you can react immediately, blocking them or disconnecting them.”
Enterprise Strategy Group (ESG) analyst Doug Cahill said IoT security is also about basic security best practices. “It’s Security 101,” he said, pointing to last month’s WannaCry ransomware attack as an example. The attack infected more than 250,000 computers across 150 countries — primarily government and institutional machines using outdated operating systems. “Make sure you are running the latest and greatest software system and update your applications.”
He also suggests a “least-privilege” model, where users or programs can only access the devices and data necessary for their legitimate purposes. “The least amount of actors with the least amount of privileges,” Cahill said. “This minimizes the blast radius so if there is a compromise, that compromise can only do so much damage.”
Microsegmentation can also improve IoT security. “It takes a playbook out of networking for security in creating a logical group of entities that have logical access control to each other,” he said. Then encrypt that and have a key management server. You’re locking down getting into the group, what you can do in the group, and the communication between the group.”
Expect Government Regulation
Last month Microsoft added its voice to calls for the government to regulate IoT security. And most security analysts agree that it’s not a matter of if regulations will come, but when.
“The 800-pound elephant in the room is regulation,” said Gartner analyst Earl Perkins. “I think once we begin to kill people and damage environments with our cyber mistakes with IoT devices that we weren’t able to protect, we’ll have people knocking on the door. There’s going to be a body-count limit on this. If you derail a train into a refinery, you’re probably going to get some regulation.”