IoT Security Incidents Rampant and Costly
New research offers details about the hidden – and not so hidden – costs of defending the Internet of Things.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltcc142c6b38309915/64f0d78c17fe28040dfa136d/01-Page-One.jpg?width=700&auto=webp&quality=80&disable=upscale)
Internet of Things breaches and security incidents have hit nearly half of the companies that use such devices, and the cost to deal with these attacks is usually more than traditional breaches, according to recent survey results.
In two separate reports, each of the studies found that 46% of respondents report they suffered a security breach or incident as a result of an attack on IoT devices.
One survey, released this month by IDC, queried approximately 100 IT security, IT operations, and other C-level suite executives, while another, released in June by consulting firm Altman Vilandrie & Co., gathered data from approximately 400 IT executives in 19 countries.
Not only are the costs associated with securing IoT devices expected to rise in the coming years but they are also expected to account for as much as of a third of the IT spending budget, according to Altman Vilandrie. The vast majority of IDC survey respondents say the cost to address IoT security incidents and breaches tends to run more than the cost of fixing traditional breaches and incidents.
Here is a breakdown of the combined results.
More than half of the companies with annual revenue of less than $499 million faced up to $250,000 in financial losses as a result of an IoT breach, according to the Altman Vilandrie report. The financial hit was especially hard on companies with annual revenue of less than $5 million, which represents approximately 13.4% of their annual revenue, the report says.
Meanwhile, nine companies that generate $5 billion in annual revenue or more rang up losses of at least $20 million, the survey notes.
"The sample size on the $5 billion-plus companies is only 5% of respondents," says Ryan Dean, a principal with Altman Vilandrie, and one of the authors of the report. "In general, the financial impact on the largest businesses will probably vary greatly depending on the type and impact of the breach."
Nearly half of survey respondents in the IDC report report a security attack on their IoT devices.
"I would have expected it to be much lower," says Robert Westervelt, an information security analyst with IDC. "IoT is still in the early days and I would have expected the results to be around 10% to 20%, not 46%."
Meanwhile, nearly two-thirds (63.5%) of survey respondents in the financial services industry and almost half (47.2%) in the healthcare industry say their organizations experienced an IoT security breach or incident.
Because the vast majority (93.2%) of survey respondents call in third-party services or vendors such as IoT forensic specialists to help them fix or assess an IoT breach or incident, the report finds that 70.1% of respondents say IoT attacks are more costly to deal with compared with traditional breaches or incidents.
Over the course of two years, 46% of survey participants in the Altman report say they encountered an attack or breach of their IoT device or network. Altman's Dean says he is surprised by the high percentage of survey respondents reporting an IoT attack.
The take-away for CISOs should be the recognition of three big potential IoT security risks, says Dean. The first is that the lack of investing in security to address IoT threats can leave an enterprise potentially exposed to such attacks. Another is that failing to realize that an IoT breach and incident can not only potentially damage the device and its surroundings, but it can also result in a loss of revenue, brand reputation, and additional costs such as legal fees and payouts to customers for recalls. And lastly, CISOs face a potential risk if they are not willing to undertake the challenge of weighing mature security vendors against IoT security startups, which may, potentially, offer a more targeted solution to secure this newer form of technology.
Companies that spend a portion of their IT security budget on IoT security are less apt to encounter an IoT breach, according to the survey results.
Of the more than half (52%) of survey respondents whose organizations did not experience an IoT breach in a two-year period, a full third (33%) say they spent some of their IT security dollars on IoT security, according to the report. And for the companies that did get hit with an IoT breach, only 20% say they allocated a portion of the IT security budget to safeguarding IoT devices.
"Companies that are spending less on security, for example 20% in this case, are more likely to have a breach," Dean says. "Conversely, if a business spends more on security, for example 33% in this case, they are less likely to have a breach because they are spending more."
IDC finds the IoT market is not only young but is rapidly maturing, with 40% of survey respondents indicating their companies have undergone six to 10 IoT implementations. In the financial services and healthcare industries, organizations expect IoT security costs to rise from its current level.
IoT security currently comprises 15% or less of IT budgets, IDC's Westervelt says, noting that as companies add end-point, network, and Web security solutions, they will need to extend to an IoT environment.
The IDC survey found 62% of respondents anticipate IT security spending will rise. The financial services and healthcare industries expect security analysis, data loss prevention, and other traditional IT solutions to be used to mitigate IoT risks, according to the IDC report, which was commissioned by Spirent.
"IoT medical devices use sensors to communicate and a lot of the IoT IT security spending in healthcare is driven around regulatory compliance," says Westervelt.
Loss of control over the IoT device was one of the top reasons why IT execs purchase IoT security, according to the Altman Vilandrie report. This is driven by public safety issues, for example, the infamous remote commandeering of a Jeep Cherokee, says Dean.
The top ranking is a combination of both the No. 1 reason, prevention of customer information, and the No. 2 reason, a loss of control over an IoT device. In explaining why the top two reasons were combined, Dean says it was done to broadly reflect the issues that are important to IT executives.
Depending on whether a company suffers an IoT breach or is left unscathed affects their choices of IoT security they wish to buy in the next one to two years, the Altman Vilandrie report finds.
In the survey, 71% of respondents whose companies got hit with an IoT breach listed "defense technology" as what they wanted to snap up within the next couple of years, making it the most sought after IoT security solution among this group. For companies that have yet to suffer from an IoT breach, the top IoT security solution on their list is monitor and control products, according to the report.
"Our interpretation is that the intention to purchase a 'defend' product among the breach segment is indicative of reactionary purchasing," observe Dean. "These respondents would have had a breach in the past and may not have had adequate security 'defense' solutions in place. Conversely, the other segment may have better security proposals in place and be more focused on 'monitoring and controlling' to manage the end points and systems." .
Depending on whether a company suffers an IoT breach or is left unscathed affects their choices of IoT security they wish to buy in the next one to two years, the Altman Vilandrie report finds.
In the survey, 71% of respondents whose companies got hit with an IoT breach listed "defense technology" as what they wanted to snap up within the next couple of years, making it the most sought after IoT security solution among this group. For companies that have yet to suffer from an IoT breach, the top IoT security solution on their list is monitor and control products, according to the report.
"Our interpretation is that the intention to purchase a 'defend' product among the breach segment is indicative of reactionary purchasing," observe Dean. "These respondents would have had a breach in the past and may not have had adequate security 'defense' solutions in place. Conversely, the other segment may have better security proposals in place and be more focused on 'monitoring and controlling' to manage the end points and systems." .
Internet of Things breaches and security incidents have hit nearly half of the companies that use such devices, and the cost to deal with these attacks is usually more than traditional breaches, according to recent survey results.
In two separate reports, each of the studies found that 46% of respondents report they suffered a security breach or incident as a result of an attack on IoT devices.
One survey, released this month by IDC, queried approximately 100 IT security, IT operations, and other C-level suite executives, while another, released in June by consulting firm Altman Vilandrie & Co., gathered data from approximately 400 IT executives in 19 countries.
Not only are the costs associated with securing IoT devices expected to rise in the coming years but they are also expected to account for as much as of a third of the IT spending budget, according to Altman Vilandrie. The vast majority of IDC survey respondents say the cost to address IoT security incidents and breaches tends to run more than the cost of fixing traditional breaches and incidents.
Here is a breakdown of the combined results.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024