IoT security is too hard, so we’re giving up

Back in 2015, I was talking to the CEO of American Electric Power at a Fortune event, and he told me that the company had an entire floor of employees focused on cybersecurity vs. just a handful of employees a few years earlier. And those employees were constantly fending off attacks. But his focus at the time was centered more around protecting the organization’s computer networks. Now threats come over networked cameras or through hackers attaching a rogue thermostat to a network.

And as to the facilities that are getting connected, their IT operations staff are busy doing other things. The security folks Pwnie Express surveyed said their employers were more than twice as likely to have a security policy in place for IT devices than for IoT. If those companies do have a security policy, only a little more than one-third of their security pros said that they themselves are involved in checking that the devices are compliant, and two out of five said they either didn’t ensure devices were compliant or they weren’t sure if anyone in their organization checks if they are or not.

So basically when it comes to things that aren’t computers, most of those tasked with IT security are running blind. To solve this, I’ve proposed thinking about IT security more like the facilities guys view operations security. Todd DeSisto, CEO of Pwnie Express, adds that when companies buy connected products, someone from the security team should be involved in the purchasing decision. A doctor excited about a connected MRI might not think about the patching and support contract associated with the machine, but keeping it free of vulnerabilities will be at the top of the CISO’s mind.

DeSisto also says the survey results that surprised him the most were that professionals were abundantly aware of increased risks, but their companies had done little to try to address clear problems, such as not knowing what was on a network. “The complexity makes it hard for people to solve,” DeSisto says. “There are a lot of stakeholders, no standards, long life cycles, and any number of things in the wild, running in non-traditional environments.” So they give up.

Unfortunately, many of the concerns about security vulnerabilities are going to get worse before they get better. Almost a third (64 percent) of survey respondents said they are more worried about device threats than they were at the same time last year. The reigning solution so far seems to be some type of network monitoring function that can help security professionals. And it would be beneficial for companies to at least know what’s on their network, especially when 51 percent are concerned with purpose-built rogue devices yet only 24 percent can monitor for them in real time.

The solutions, however, are difficult to implement, require skilled people, and can be costly. That’s the opportunity Pwnie Express is banking on, but it’s also leading to a bunch of security checklist offerings such as this one issued recently by AIG. The checklist aims to be a “set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks” and “is intended to help strengthen, prioritize, and focus on a smaller number of actions with high pay-off results.”

But if you download the document looking for the easy way out, I’m sorry to say that the checklist contains 46 items that range in complexity from “Eliminate unnecessary services and unused ports” to “Conduct security testing on third-party devices and software utilized in your business and products.” The problem with putting connectivity in everything is that criminals can take advantage of just about anything. No wonder security professionals are ready to give up.