You’re driving to the supermarket when, suddenly, your check engine light comes on. Nothing sounds wrong — your vehicle is still moving just fine, and you really have to go shopping. So for now, you’ll deprioritize the check engine light. Yes, you have also deprioritized those oil changes, the coolant flush, the tire rotation, and that little squeak in one of the brakes, but you have a lot to do, and right now, these aren’t priorities. On the following Monday, after having the check engine light on all week, your car won’t start — nothing. You call the auto shop in frustration, and when asked what’s wrong, you exclaim, “the check engine light just came on — I don’t know how this happened!”
In May 2023, Forrester published The State Of IoT Security, 2023, which indicated that, based on our 2022 data, 33% of global security decision-makers said corporate IoT devices were the top target for external cyberattacks. Looking back at our data from previous years, a pattern emerges that IoT devices with the enterprise are being directly targeted for attack, over and over. We also observed a disconnect between different infrastructure and security leaders when it comes to the prioritization of securing IoT devices.
IoT devices are not new items within an organization’s infrastructure. These devices have been around for decades and are deployed alongside newer, industry-focused solutions. Printers and fax machines (people still use fax machines, believe it or not), high-speed document scanners, security cameras, or access-control security devices have been running forever, and these are in addition to industry-specialized devices such as medical imaging and infusion pumps in healthcare, 3D printers and rapid prototyping within engineering, or ATMs and wearable devices in banking. Determining ownership of and securing these devices has been a struggle for some time, as older devices did not take into account common security problems and security vendors didn’t incorporate solutions to address challenges with IoT devices until recently, which led security leaders to shift focus to other priorities, as these devices were already inside their protected network — how much harm could they cause?
This isn’t all doom and gloom, however. There are different ways to address these problems, both modern and old-fashioned, and this is what I’ll be talking about at the 2023 Security & Risk Forum, November 14 and 15 in Washington, D.C., where I’ll be leading the breakout session, Ignoring IoT Security Doesn’t Make The Problem Go Away. We’ll talk about why implementing this security was problematic, what happened when it wasn’t addressed, and how to use modern solutions to get a handle on protecting these assets and your data. I look forward to seeing you there!