New research from Forescout suggests that there remains a disconnect within UK PLC between understanding a problem exists and actually doing anything to fix it – the problem in this case being the number of unknown IoT devices on their networks that can put them at risk of attack.
According to the Forescout report, there has been a two percent increase in the number of UK businesses that have unknown devices on their networks. This may not sound like much, but it represents an additional 110,000 organisations that are at risk compared to last year and means that nearly half (49 percent) believe there are unknown, third-party, devices on their networks.
If you think that statistic is barmy, just wait until you get a load of the next one: some 85 percent of the CIOs and IT decision makers questioned by Forescout said this poses a security risk to the organisation.
That 2.8 million UK businesses are leaving themselves open to this lack of IoT visibility and control risk begs the question of what the strategic business mentality at play behind this actually is.
For the longest time, the lack of visibility issue when it comes to the IoT device threat to business was put down to an awareness problem. It simply wasn't understood that IoT, and operational technology (OT), devices posed such a major risk to the security of their networks and the data accessible through it.
That just isn't the case anymore – you'd have to be living in a cave, as an IT decision maker, not to be aware of the risk. Yet here's the thing: those folk do now understand the risk, only 15 percent of those questioned by Censuswide for the Forescout research were unaware that a lack of visibility and control of these devices leaves network security infrastructure weakened. Frankly, even that 15 percent 'in the dark' figure is surprising given that 69 percent of organisations admit to more than 1,000 such connected devices and one in five (19 percent) more than 10,000.
Now here comes the disconnect you've all been expecting: while 58 percent of those asked thought a centralised approach to IT and OT security, providing that all important visibility and control, would protect against vulnerabilities in the security infrastructure, only 49 percent had implemented any such thing in their own organisations.
The research suggests that "despite various new regulatory benchmarks and many notable attacks on industry giants in the past twelve months," Myles Bray, vice president (EMEA) at Forescout says "UK businesses are still painfully unaware of the huge threat vector that connected devices present."
Which leads us to wonder why the IoT threat isn't being taken more seriously when business know the danger it poses but doesn't do anything to mitigate that risk?
One of the potential reasons why there is a discrepancy between awareness around cyber-threats and action taken to mitigate these risks is the lack of clear ownership around cyber-security infrastructure and spend within organisations, Julie Cullivan, chief technology and people officer at Forescout, told SC Magazine.
"Many organisations have yet to clearly define who within their ranks is actually responsible for cyber-security infrastructure and spend," Cullivan said. "On one hand, the official responsibility, and therefore budget, often sits with the CIOs, CTOs or CISOs, but with the advent of the digital revolution suddenly line of business (LOB) leaders are now making technology decisions often without understanding or owning the cyber-security risk."
Indeed, and as Cullivan concluded, in an ideal company structure, cyber-security would be considered an enterprise risk and ownership would be assigned by the executive security committee, but likely governed by the CISO organisation. "Cyber-security should be an all hands on deck responsibility within any organisation," she advises.
As to the mentality that might be at play behind this apparent illogical disconnect, Paul Edon, technical director (EMEA) at Tripwire, thinks he might know the answer. "The threat to IoT devices isn’t taken seriously because there is a widespread tendency to commoditise technology," he told SC Media UK. "Everything is better with an internet connection: machine connectivity is handy and leads to greater efficiency."
Which means that almost inevitably the attack surface that businesses need to secure becomes larger and larger. "To avoid the next WannaCry attack being the wake up call to secure IoT devices," Edon told SC, "it is necessary to put in place security-oriented standards for the Internet of Things industry as a whole."
To ensure logical security within the IoT environment, Edon concludes, "We need to make it more expensive for manufacturers to produce unsafe devices rather than strive for safety through compliance."
You know what, he might just be onto something there...