Asimily’s “IoT Device Security in 2024: The High Cost of Doing Nothing” report identifies today’s IoT threat landscape as enterprises across industries implement and scale connected devices
Asimily, a leading Internet of Things (IoT) risk management platform, today announced the availability of a new report: IoT Device Security in 2024: The High Cost of Doing Nothing.
The comprehensive report—available for free download here—highlights emerging IoT device security trends and challenges.
Enterprises continue to embrace IoT strategies to streamline operations, boost efficiency, and improve customer experiences. From hospitals to manufacturers to public sector agencies, IoT device fleets are critical for meeting these modernization goals. However, the acceleration in connected device deployment opens new windows for cybercriminals and exposes networks to potential breaches. This report addresses the growing challenge of securing IoT devices and explores the consequences for businesses neglecting sufficient cyber resilience. It also provides valuable guidance for implementing a comprehensive approach to mitigating IoT-related cyberattack risks.
Among the key findings and analysis included in the new report:
- Breach tactics continue evolving: Cybercriminals seeking confidential proprietary data to sell for financial gain look for and infiltrate vulnerable and often-unsecured IoT devices to establish initial access to an enterprise’s network. That tactic supports ransomware attacks as well, with criminals gaining access via IoT endpoints, encrypting data, and extorting ransoms. In other cases, nation-state-sponsored groups are motivated to shut down or disrupt the services of their targets. A common tactic is harvesting vast fleets of vulnerable IoT devices to create botnets and utilize them to conduct DDoS attacks. Attackers also know they can rely on unresolved legacy vulnerabilities, as 34 of the 39 most-used IoT exploits have been present in devices for at least three years.
- Routers are the most targeted IoT devices, accounting for 75% of all IoT infections. Hackers exploit routers as a stepping stone to access other connected devices within a network. Security cameras and IP cameras are the second most targeted devices, making up 15% of all attacks. Other commonly targeted devices include digital signage, media players, digital video recorders, printers, and smart lighting. The report also highlights the especially consequential risks associated with specialized industry equipment—including devices critical to patient care in healthcare (including blood glucose monitors and pacemakers), real-time monitoring devices in manufacturing, and water quality sensors in municipalities.
- Cyber insurers are capping payouts. Cybersecurity insurance is becoming more expensive and difficult to obtain as cyberattacks become more common. More insurers are now requiring businesses to have strong IoT security and risk management in place to qualify for coverage—and increasingly denying or capping coverage for those that do not meet certain thresholds. Among the reasons why cyber insurers deny coverage, a lack of security protocols is the most common, at 43%. Not following compliance procedures accounts for 33% of coverage denials. Even if insured, though, reputational damage remains a risk: 80% of a business’s customers will defect if they do not believe their data is secure.
- Manufacturing is now the top target: Cybercriminals are increasingly focusing their attention on the manufacturing, finance, and energy industries. Retail, education, healthcare, and government organizations remain popular targets, while media and transportation have been de-emphasized over the past couple of years.
“Vulnerable IoT devices continue to be a glaring cybersecurity weak spot for many, many enterprises,” said Kenan Frager, VP of Marketing, Asimily. “In the rush to absorb all of the business benefits these devices deliver, sufficient security—and the impact that security has on the broader network—is too often left unchecked.”
“Regardless of industry, an attack on IoT infrastructure can and will result in operational downtime, loss of IP, loss of revenue, and reputational harm. Regulatory compliance adds another layer of pressure, with steep fines and sanctions looming for breaches that affect HIPAA, PCI DSS, NIST, SOC 2, and other increasingly stringent mandates.”
“There’s a clear and urgent need for more businesses to prioritize a more thorough risk management strategy capable of handling the unique challenges of the IoT,” said Shankar Somasundaram, CEO, Asimily.
“While organizations often struggle with the sheer volume of vulnerabilities in their IoT device fleets, crafting effective risk KPIs and deploying tools to gain visibility into device behavior empowers them to prioritize and apply targeted fixes. This approach, coupled with a deeper understanding of attacker behavior, enables teams to distinguish between immediate threats, manageable risks, and non-existent dangers. The right strategy equips organizations to focus efforts where they matter most, maximizing their resources while ensuring the security of their IoT ecosystem at scale.”