ForeScout survey warns of IoT security woes and penetration ignorance
Opening with the proclamation “the Internet of Things isn’t coming, it’s here,” the ForeScout-sponsored report from Webtorials warns that “we are rapidly evolving to a network where we have vast numbers of computing devices that are inherently unsecured.”
The survey questioned Webtorial Community members, as well as students from the SIP School (the SSCA), and collated the answers of those who self-identified as “a professional involved in some aspect of installing, operating, planning or designing and enterprise communications network.” Of course, these are the ideal candidates to purchase ForeScout’s networking security products and services, which specialize in agentless applications.
When asked what percentage of device types or families (not volume) were currently on their networks were non-traditional and/or IoT devices, 16% felt that none of the devices were IoT, with 50% believing the proportion to be up to 25%. That means that 66% of respondents felt that their enterprise networks contained less than 25% IoT devices.
At the other end of the scale, 9% felt that over 75% of their network devices were IoT-related, with 11% answering between 51-75%, and 14% responding between 26-50%.
In terms of the shift that the respondents believe will occur in the next 18-months, the 75%+ segment grows from 9% to 11%, the 51-75% segment increases from 11% to 15%, the 26-50% expands from 14% to 21%, with the 1-25% shrinking from 50% of respondents to 43%. The 0% total shrinks from 16% to 9%.
So it seems that the penetration of IoT devices in the enterprise in the next 18-months is going to increase, with the headline figure being that the number of zero-device enterprises shifting from 66% of the total to 52% – a 14-point decline.
But the sheer number of things on the network isn’t a proof of approval. Some 85% answered that they weren’t confident in being able to know all IoT devices on their networks and being able to control them so that they couldn’t become security liabilities for cybercriminals. Some 24% said not at all, and 23% responded with very little – with only 30% responding in the affirmative.
The report pulled something of a trick on the respondents, in that it locked their original IoT device answers, so that when it presented them with a list of IoT devices (which we would mostly agree with, depending on the application), they had to acknowledge that there were in fact more IoT devices on their networks than they initially thought.
As such, only 3% of respondents had none of the IoT device types on their networks, compared to the 9% response in the initial questions. Some 21% had 1-5 devices, 39% had 6-10, 26% had 11-15 things, with 9% counting 16-20, and just 2% on 21 or more.
Those numbers sound very small, but the list includes traditional office equipment and computers, with the newer IoT devices including things like door and security alarms, video surveillance, and scanners. Those categories are the ones that scream IoT, but the other devices are evolutions of existing products too, but ones that still don’t directly carry out a process that we would instantly think of as IoT – which is why we would agree with their inclusion, as long as they are contributing to an IoT application somewhere.
Examples of this might include computers or phones that are monitored to guess room occupancy and therefore the required HVAC settings for an office or building. The terminal or phone itself isn’t a direct IoT device, but when it is included in a connected HVAC system, it becomes a key part on an IoT deployment.
So this line of thinking might explain why there were an average of 8 things per respondent who initially answered that they had no IoT things. Of that group, only 3% actually had none, but 34% had 1-5, with 43% on 6-10. Notably, another 3% actually had 21 or more IoT devices.
It goes to show the changing face of IoT perceptions in the enterprise. We’ve always viewed IoT devices primarily as evolutions of existing products or services, that have been enabled by improvements in technology – such as low-power radio protocols or miniaturized hardware.
As for securing these new types of devices, alarmingly, only 44% of respondents said that they had a known security policy in place for IoT devices – with 30% saying that their company explicitly didn’t have one, and 26% saying they were unsure. This is the problem with IoT security, and based on the number of reports that agree with ForeScout and Webtorials, it appears absolutely endemic.
The rest of the report is well worth reading, but closes by arguing that when IoT devices are being secured, they are being addressed with an out-dated security paradigm, designed for simpler devices. Of the respondents, only 25% believe that a lack of personal resources is one of the biggest challenges for IoT security, with the leading answer being 41% thinking that getting IT and OT functions working together is the biggest hurdle.