Rory Duncan, head of security business unit, Dimension Data UKI
Rory Duncan, head of security business unit, Dimension Data UKI

The era of the Internet of Things (IoT) presents an enormous challenge for enterprises when it comes to security. According to Gartner, 20.8 billion connected devices will be in use globally by 2020.  For cyber-criminals, each of these devices represents a potential end-point to exploit. The fact is that even the most advanced security tools in the world will fail if organisations are neglecting their network devices and failing to follow best-practice cyber-security processes generally, for instance, by regularly updating and patching software.

Networks are getting younger, but security is being neglected

Research shows that, while enterprises across the globe are refreshing their network equipment earlier in its lifecycle, in a move to embrace things like the business benefits of IoT, workplace mobility and software-defined networking (SDN) strategies, their networks are becoming less secure, largely due to neglected patching.

Of the 97,000 network devices assessed in the latest Network Barometer Report, the number of devices with at least one known security vulnerability increased from 60 percent in 2015 to 76 percent in 2016, which was the highest increase in five years. In Europe specifically, network vulnerabilities have increased significantly over the last three years, from 26 percent in 2014, 51 percent in 2015, to 82 percent this year.

Network security depends on both regular refreshing and patching. Newly deployed devices should have known vulnerabilities patched so, just by refreshing, a network will theoretically be more secure. However, while we're seeing network equipment being actively refreshed in Europe, vulnerabilities have nevertheless increased, which can be attributed to less diligent patching.

New devices and software require an initial ‘settling-in' period, during which new vulnerabilities may be discovered, making further patching requirements both immediate and wider in scope. In Europe, organisations tend to put more of their investment into strategic refreshing of network equipment, and less into day-to-day operational maintenance.

How different industries are responding

Research also finds that, while some industries are improving their security posture –  notably the retail sector – others, including manufacturing industry, are being increasingly targeted as a result of lagging behind in addressing the security risks. The retail industry certainly appears to be learning the lessons of a number of high-profile breaches in recent years. As these organisations process large volumes of personal information and payment card data each day, they are a lucrative target for hackers, and the fact that they appear to be responding effectively is promising. Indeed, the percentage of network equipment with security vulnerabilities in the retail sector has fallen to 67 percent from 81 percent last year.

Meanwhile, the percentage of devices with known, patchable vulnerabilities in manufacturing networks has risen dramatically, from 47 percent last year to 73 percent in 2016. Much of this stems from new vulnerabilities which have been discovered and could be patched in existing systems. The research suggests that the manufacturing sector is in the top five industries most likely to be victim of a cyber-attack. Unless the industry actively strengthens its security posture through patching, it could suffer a significant increase in security breaches, especially as the industrial IoT becomes more pervasive.

Businesses across all sectors must ensure that they are balancing network transformation initiatives with security. This can be achieved by determining the business criticality of applications and business functions supported by devices and allocating patching resources according to the areas with the most critical impact. Only then can organisations ensure that their strategic network refresh enables them to reap the benefits of IoT, mobile working and SDN, without increasing the risk of attack.

Contributed by Rory Duncan, head of security business unit, Dimension Data UKI