Modernize Your PKI → Optimize Productivity → Reduce Risks    |Here’s how to replace Microsoft PKI with EJBCA

From Keyfactor’s State of IoT Security Report: IoT Usage and Attacks Both on the Rise

Internet of Things (IoT)

Connected devices have crept into every imaginable industry, and practically every workflow touches an IoT device at some point. While many solutions are commonplace, like security cameras, others, like inventory tracking systems and hybrid workforce strategies, are allowing businesses to achieve a more competitive edge. 

But IoT adoption is a double-edged sword for organizations that neglect to consider the security implications. 

An exploding volume of machine identities drastically expands an organization’s attack surface. Each device becomes a potential entry point for a malicious actor. This threat must be accounted for in the organization’s security strategy — but doing so can be difficult. 

The IoT landscape is shifting constantly. From new devices to new standards and regulations, securing these opportunities can be a moving target. Keyfactor’s first-ever global IoT security report was designed to give leaders a picture of that landscape and the perspective they need to keep innovating without creating risks through IoT.

The report offers insights for organizations leveraging IoT devices, in addition to security leaders and Original Equipment Manufacturers (OEMs). Here are a few big takeaways for IoT-driven organizations.

The prime drivers of IoT usage

When asked what motivations are driving the use of IoT and connected products within their organizations, the top three responses were:

  • Safety and Security (52%)
  • Digital Transformation (51%)
  • Hybrid Work (49%)

In a digital-driven world, it’s easy to forget about the challenges of physical safety or take them for granted.

Smart locks and wireless security cameras are a few common examples, but even these tools are evolving on both the commercial and consumer side

Smart locks are no longer merely connected to devices. They come equipped with biometric capabilities, like fingerprinting and facial or voice recognition. Smart lock systems can be customized to function during a particular time of day, and different permission sets can be given to different types of guests or users. Revoking biometric access digitally is much easier than retrieving a key or changing the physical locks.

IoT security cameras are no longer just a wireless version of CCTV. License plate reader cameras (LPR) provide better evidence that gives law enforcement more grounds to take action. They have proven instrumental in preventing unauthorized access and combating theft and organized retail crime

Organizations of 5,000 or more employees were most intent on using IoT to drive digital transformation initiatives.

For industries like oil and gas, the ability to deploy diagnostic tools in the field grants the business real-time data on everything from windmills to oil tanks, while saving them the costs of sending an employee to far-flung locations to check status. 

Digital twinning uses connected sensor data to construct a virtual model of a physical object. That model can then be studied and experimented with to produce insights for improvement. This allows organizations in industries like manufacturing to test new methods and materials without the costs and labor of constructing a physical prototype. 

The future of what work looks like is still in flux. Even organizations bent on a return to the office are working to make the office more flexible and dynamic through IoT.

Office-based organizations are leveraging connected devices and sensors to understand team members’ behavior to make better decisions around commercial real estate investments and office design. 

This behavioral data can show where employees are experiencing friction in the office – time waiting for elevators, traveling from one part of the office to the next, or searching for spaces that have the tools they need to work. 

By eliminating this friction, organizations can create better workplaces that meet the expectations of hybrid work and give employees an experience worth returning for. 

Additionally, these property tech tools can lower commercial real estate costs, reduce energy consumption, and make progress toward sustainability goals.

Cyberattacks on IoT devices appear almost inevitable

On average, organizations report a 20% increase in the number of IoT and connected products they use over the past three years. Yet 97% of organizations face challenges in securing their IoT and connected products, and 89% said their IoT products have faced cyber attacks in the last 12 months. 

This begs the question, are they using the wrong tools, the wrong methods, or both?

While IoT security budgets are on the rise, so are attacks. Sixty-nine percent of organizations reported an increase in attacks on their IoT devices in the last three years. On average, 52% of the IoT security budget ends up going toward mitigating the damage of attacks. In the past year, organizations lost an average of $263,035 to cyber breaches experienced through their IoT products. 

The challenge is two-fold.

While connected devices have been commoditized, not all are created equal.

IoT devices, in general, typically have low computing power, which means there is little room to implement security within the device’s design

That seems to be changing. In 2023, the White House debuted a cybersecurity label for smart devices that indicate which products are most resistant to hacking. But in the meantime, it is somewhat ambiguous who is more responsible for device security: product designers, device manufacturers, or end users themselves. 

In Keyfactor’s survey, respondents’ opinions on this matter were mixed, though the most popular sentiment (38%) was that the manufacturer and the user should be equally responsible. 

Secondly, many attacks happen upstream.

For example, the Verkada security camera hack of 2021 exposed a host of Verkada customers, including Tesla and Cloudflare, as well as numerous jails, hospitals, and schools. In 2017, Avanti Markets’ self-service payment kiosks, commonly deployed in corporate break rooms, were breached, causing outages and disruptions for end users. 

If devices are compromised at the brand level, there’s nothing an organization can do to prevent it. Still, they must have controls in place to defend their systems at the local level. 

Public key infrastructure (PKI) may be one answer to these problems. By centralizing and automating the creation, issuance, and revocation of machine identities and digital certificates, organizations can scale IoT usage without creating additional risk. 

IoT is here to stay

It’s exciting to see how IoT devices are being applied to new and more complex problems. From more efficient energy management to creating healthier spaces to improving recycling and sustainability practices, IoT stands to unlock unimaginable innovations and an unprecedented quality of life.

But security can’t be an afterthought. As our public, personal, and professional lives become more entwined with the digital world, organizations will be less and less able to afford breaches and outages. 

The future of IoT isn’t just on its way. It’s practically here already. To see where your organization stands and start plotting a path to a secure tomorrow, check out the full report.