When business leaders think about the Internet of Things (IoT), they tend to focus on the potential opportunities for the enterprise and give far less attention to security risks. That’s a mistake. So, too, is believing that the IoT is only a concept on the distant horizon. The IoT already exists and is expanding rapidly. In fact, according to Gartner, at the end of 2016 more than 6 billion Internet-connected devices were in use worldwide; the research firm projects that by 2020, the number will exceed 20 billion.

To underscore the realness of the IoT, and why it’s critical for organizations not to dismiss IoT security risks, just consider what’s happening in the threat landscape. First, IoT botnets, and their population, are growing larger every day. And IoT-driven DDoS attacks of significant power—over 1 TBps—are actually last year’s news. (The Cisco 2017 Midyear Cybersecurity Report, which features IoT botnet research discusses these developments in detail.)

So, the IoT and IoT-related threats are very real. A massive compromise of IoT devices has the potential to severely disrupt not only organizations, but also the Internet itself. Fortunately, we are still in the early days of the IoT, which means there’s still time for defenders to do their part to help secure it.

Martin Lee summed up the unique but fleeting security opportunity that the IoT presents to defenders in a recent blog post: “As the world builds the infrastructure and deploys the devices that comprise the IoT, we as a society have the opportunity to apply the decades of good practices learned as part of the development of the Internet—including painful lessons about the importance of security.”

A top priority for all enterprises: more visibility

In the Cisco 2017 Midyear Cybersecurity Report, we outline several of the “good practices” that security teams should apply to IoT devices. Implementing patches promptly and employing IPS defenses are just two of our recommendations. These devices are computers and, therefore, require the same security measures as any other networked machine. But IoT devices typically lag well behind desktop security capabilities and have vulnerability issues that can take months or years to resolve and even with some issues never being addressed.

The top IoT security priority for any organization, though, should be gaining visibility into their budding IoT environment. This is a critical first step to IoT security. Enterprises need to know what IoT devices are connected to their network today and study how they are behaving.

If organizations have no idea what computers, of any size or type, are on their network, and what those computers are touching, how they’re interacting with other devices, and what their normal network traffic patterns are, then they can’t even begin to secure their network. And that lack of visibility will only get worse as the number of IoT connections grows exponentially over time, and as IT and operational technology (OT) systems become increasingly more integrated. Without visibility IoT devices offer our adversaries a safe haven inside our network. A place to observe, plan, and carry out future attacks.

Defenders must act now to address IoT security, or risk repeating critical mistakes that we made when building the Internet. This time, we all know better.

Borrowing again from my colleague’s blog post: “For businesses and consumers to truly embrace the convenience and power of IoT, they must feel fully confident that we’re building IoT with security foremost in mind.” For organizations, gaining that confidence will hinge on developing a proactive approach to security and a layered defense strategy—and understanding that every insecure IoT device, large or small, connected to their corporate network creates a security gap for attackers to exploit.

Read more about IoT-related threats and other security trends in the Cisco 2017 Midyear Cybersecurity Report.


Craig Williams


Talos Outreach