Understanding IoT Adoption and Risks

In 2015, former Cisco research David Evans calculated how many devices were being added every second. At the time, an average of 127 new things were being connected to the Internet every second. 328 million things were being connected every month, approximately one for each person in the U.S.

Fast forward to 2020 and the IoT market has exploded. From connected cars and video cameras to smart virtual assistants and HVAC systems, the IoT market is now expected to grow to 31 billion connected devices by 2020 and 75 billion devices by 2025.

With so many devices proliferating, security and risk professionals need to be much more aware of the expansion of their attack surface. Each device represents a new attack vector for cyber attackers.  The recent spate of vulnerabilities that impact IoT recently, from Ripple20 to SIGRed, demonstrates the importance of securing these devices.

But what types of risks should enterprises expect to find in their environment? How best should they protect themselves?

Today, we’re excited to release the inaugural Rise of the Machines: 2020 Enterprise Adoption and Risk Report. We examined more than 5 million unmanaged, IoT, and IoMT devices in Ordr customer deployments across a variety of verticals including healthcare, life sciences, retail and manufacturing, between June 2019 and June 2020. Ordr strongly believes in the importance of sharing this type of data with the global security communitiy to better understand IoT risks and secure their organization.

Among the report’s most interesting findings were the frequent discovery of consumer-grade shadow IoT devices on the network such as  Amazon Alexas and Echos.

We love the perspective that Zeus Kerravala, founder and Principal Analyst at ZK Research provided, “In some of my recent research around enterprise IoT security I’ve found that more than 51% of IT teams are unaware of what types of devices are touching their network. But perhaps what is more disconcerting is that the other 49% often times find themselves guessing or using a ‘Frankenstein’d’ solution to provide visibility into their network security, which will almost always create security issues. Shadow IoT is becoming a real security challenge, as It’s not enough to have the visibility into what is touching your network, but you need a solution like Ordr’s that allows for you to resolve the issues in a scalable automated fashion.”

Highlights from Ordr deployments include the following:

  • 15-19 percent of deployments had IoT devices running on legacy operating systems Windows 7 (or older). Since it is often not economical to take these critical systems out of service, these devices need to be properly segmented.
  • 20 percent of deployments had PCI-DSS violations where IoT devices with credit card information were on the same subnet or VLAN as a tablet, printer, copier, or video surveillance camera.
  • 86 percent of healthcare deployments had more than 10 FDA recalls against their medical IoT devices, meaning the medical device is defective, poses a health risk, or both.
  • 95 percent of healthcare deployments had Amazon Alexa and Echo devices active in their environment alongside other hospital surveillance equipment. Voice assistants can unknowingly eavesdrop and record conversations and may put the organization at risk of a HIPAA violation.
  • 75 percent of healthcare deployments had VLAN violations where medical devices were connected to the same VLAN and subnet as other non-medical devices.

There are real risks and threats posed by IoT, IoMT, and other connected devices if not accounted for and properly managed. One cannot fix what one cannot see, and with IoT, the discovery and classification is the very first step. Once security and networking have high fidelity visibility into unmanaged and IoT devices, then they need to understand device behavior, perform risk assessment and segment vulnerable and mission-critical devices.

Get your copy of the Ordr Enterprise Adoption and Risk Report today.