Most IoT cyberattacks result in downtime, compromised data, end-user safety, brand or reputational damage, or a loss of intellectual property, according to a new Irdeto report.
The majority of healthcare organizations, IoT manufacturers, and other organizations that leverage IoT devices have faced a cyberattack focused on IoT within the last 12 months, according to a report from Irdeto, fielded online by Vanson Bourne.
Researchers surveyed 700 security decision makers from the US, UK, Japan, Germany, and China, from the connected health, connected transport, and connected manufacturing industries to determine the types of cyberattacks targeting IoT devices, concerns about the tech, and security measures in place.
They found that 82 percent of healthcare organizations’ IoT devices have been targeted with a cyberattack within the last year, compared with 80 percent of organizations, overall.
Manufacturers were the second hardest hit (79 percent), followed by connected transport (77 percent). Of those organizations, 90 percent were seriously impacted by the event, including operation downtime, compromised data or intellectual property, end-user safety, or reputational damage.
Overall, 81 percent of US organizations have faced an IoT cyberattack. Operational downtime was the biggest impact for those organizations (55 percent), followed by compromised customer data (37 percent), and compromised end-user safety (36 percent). Only 11 percent said they had no impact after the IoT security event.
What’s worse, only 17 percent of the IoT devices used or manufactured by large enterprises have not experienced a cyberattack in the last 12 months.
On average, an IoT-focused cyberattack cost healthcare organizations $346,205, slightly higher than the overall average for all industries that totaled $330,602. Just 7 percent of these attacks had no financial impact.
The researchers noted that some of these numbers appeared to be significantly lower, and some organizations might not be taking into account all of the costs related to the cyberattack, such as lost business, the cost of correcting vulnerabilities, and other areas.
“Underestimating the true cost of a cyberattack could result in a major wakeup call for organizations that haven’t implemented robust protection,” researchers wrote. “It’s also possible that with IoT proliferation in these industries being in its relative infancy, the current cost of cyberattacks on these devices is not as catastrophic as in other parts of the business.”
“However, if this is the case, the costs will surely skyrocket as IoT devices become more abundant and connectivity continues to increase throughout the business,” they added.
IOT VULNERABILITIES AND LOOKING AHEAD
For more than half of US respondents, the software used by their organization held the most pressing IoT vulnerabilities. The IoT device itself was ranked third (49 percent), after the IT network (51 percent). For 41 percent, mobile devices and apps held the most vulnerabilities, followed by employees at 32 percent.
Adding to the issue: 93 percent of manufacturers and 96 percent of users said the devices they manufacture or use could be improved a little or by a great extent. Those numbers increase for the healthcare sector with 98 percent saying IoT devices have room for improvement.
The overwhelming majority (83 percent) of organizations are concerned about IoT devices being targeted by cyberattacks, hacking, or a security breach, with 82 percent expressing concern that these devices are not adequately secured.
What’s troubling is that 26 percent of organizations do not have software protection in place, and 52 percent do not have mobile app protection. And only 49 percent make security part of the product design lifecycle process, while just 53 percent conduct continuous security and or code reviews.
For the researchers, these statistics show that security is still an afterthought instead of a proactive security measure.
“The previous mindset of security as an afterthought is changing: 99 percent agree that a security solution should be an enabler of new business models, not just a cost,” researchers wrote. “This clearly indicates that businesses realize the value add that security can bring to their organization.”
As healthcare struggles with patching issues and reliance on legacy platforms, the report reinforces the need for providers to strengthen their IoT security posture. Industry stakeholders have stressed that a lack of standard guidance could be contributing to the lack of overall awareness.
Currently, NIST is working toward creating IoT guidance in an effort to shore up those gaps, while Congress has also drafted bipartisan legislation to create IoT cybersecurity standards. As hackers have already been spotted targeting vulnerable IoT, healthcare organizations will need to be more proactive.
“The benefits brought to a wide range of industries by the IoT are not in doubt. However, greater connectivity opens organizations and their customers up to a myriad of additional vulnerabilities that must be considered from the outset,” researchers wrote.
“A strong security strategy is crucial to ensure the benefits of IoT can be realized in sectors like transport, healthcare and manufacturing, while the risks are mitigated,” they added. “Cybercrime is a business where hackers have the advantage. To combat the rising trend, all companies participating in the ecosystem must be on top of their game. If you want to take advantage of the benefits of connected devices or software, you need to choose wisely where to spend your time and budget.”
Date: September 04, 2019