According to IDC, the potential cybersecurity and physical safety concerns associated with IoT devices will pressure CIOs at Global 2000 companies to increase IoT security spending by up to 25% by 2020. A recently published Forrester study finds spending on global cloud security solutions will reach $3.5 billion by 2021 — an annual growth rate of 28%. And Thales 2018 Data Threat Report found 57% of businesses report the bulk of their security budget is allocated to endpoint and mobile security technologies.
So which represents the greater threat to organizations – IoT, cloud, or mobile? We reached out to cybersecurity and tech experts to get their perspective on where the biggest vulnerabilities lie – and what steps security teams should take to tighten those vulnerabilities.
The IoT Threat
“IoT security remains one of the most challenging security vulnerabilities to businesses and consumers,” says Kayne McGladrey (@kaynemcgladrey), Director of Information Security Services at Integral Partners. “The Mirai and Reaper botnets are results of threat actors leveraging poor security controls on IoT devices, building attack infrastructure out of those devices, and using that stolen infrastructure to attack organizations. Organizations purchasing IoT/IIoT devices should treat them the same as any other endpoint device connecting to the corporate network.”
Edward Featherston (@efeatherston) VP, Principal Architect at Cloud Technology Partners, agrees. “While all three present security challenges and risks to the business, IoT has the largest potential of security vulnerability risk,” he says “Security teams need to fully understand the limits and risks associated with the increased attack surface of these devices, and work with vendors on SLA’s (service level agreements) to ensure the security levels organizations need are being met.”
One of the biggest IoT risks is the lack of security right out of the box for many devices, according to some experts.
“IoT devices are often shipped with little to no security in their default settings. This kind of vulnerability cannot be overlooked,” says Tyler W. Stearns @CloudTechReview), Editor at Solutions Review. “A simple precaution is to actively update firmware and to change the default passwords.”
“We have already witnessed too many cloud and mobile exploits to count, so my greatest fear for future vulnerabilities lies within the still young world of IoT,” says Scott Schober (@ScottBVS), President/CEO of Berkeley Varitronics Systems. “Manufacturers need to develop and agree upon industry standards for security. They then need to develop products from the onset with these security standards in mind.”
“IoT devices by their sheer number (there are more IoT devices now than people on the planet) continue to be a concern, especially at the lower end of the market. Configuration, enabling automatic updates, and changing default passwords are a must,” says Nige Willson (@nigewillson), Global Strategist at Microsoft.
The Cloud Threat
Others believe the cloud poses the greater risk to organizations.
“As more organizations move to the cloud, the cloud will continue to be vulnerable, not due to cloud insecurity, but more so due to lack of employee security awareness,” says Robert Siciliano (@RobertSiciliano), security analyst with Hotspot Shield.
Tony Flath (@TmanSpeaks), Senior Practice Lead, TELUS Security, agrees that the cloud poses the greater threat. “The biggest security vulnerability to business in the year ahead will be cloud,” he says. “There is such a large infrastructure move to public cloud with more and more organizations putting their crown jewels in the cloud. So, the payload is high value for the hackers.”
Among the steps security teams should take to tighten cloud vulnerabilities, Flath suggests: leveraging sound cloud security methodology; deploying a next-generation firewall in front of a new cloud infrastructure; and controlling remote access users with a secure VPN and two-factor authentication (2FA).
“Taking a security-first mentality and adopting for cloud considerations will allow for the great scale and growth that cloud computing offers,” Flath says.
“The cloud is going to be the biggest security vulnerability in the year ahead for a majority of businesses,” says Will Kelly (@willkelly), a technical writer and content strategist. “Tightening up cloud vulnerabilities starts with shoring up your team’s cloud architecture and admin skills through training. Your people need to get intimate knowledge of how your cloud storage works.”
Diana Nolting (@DianaNolting), Product Manager at BlueLock, says cloud is particularly risky due to the nature of third-party vendor relationships.
“One of the biggest unacknowledged vulnerabilities for businesses today exists in the use of third-party vendors,” says Nolting. “Any vendor, cloud-based SaaS application, or service offerings used by a business needs to treat security at or above the standard of the client’s business; which isn’t always a given. The clients need to drive that critical requirement from their suppliers and hold each accountable. Without that focus, pressure, and partnership between client and vendor to ensure secure vendors, cloud applications, and systems, the weakest link is often not found within the business’s four walls.”
Jacob Calbillo (@jakecalbillo116), Information System Security Engineer (ISSE), suggests that simple checks and balances can go a long way in tightening up cloud vulnerabilities.
“Make sure your systems and applications are patched, encrypt your data in motion and at rest,
and review/audit the data security policies of your cloud provider as well as their compliance certifications,” Calbillo says. “These are the first steps to ensuring your businesses security on the cloud.”
A Triple-Headed Threat
“To me this is an interesting question in that mobile, cloud and IoT are becoming tightly integrated,” says Thomas Willingham (@GotTWilling), a product marketing leader and evangelist. “IoT systems are just becoming another type of mobile device. Mobile devices leverage the cloud for data and resources. The cloud uses IoT and mobile devices for data collection and distribution.”
“These technologies are only as vulnerable as they are insecurely implemented,” says Ben Rothke (@benrothke), Principal Security Consultant at Nettitude. “They are all as risky as you [allow] them to be.”
As organizations embrace IoT, cloud, and mobile technologies to transform their business, it’s clear that they’ll need to keep cybersecurity top of mind to reduce vulnerabilities and risk. Visit AT&T Managed Cybersecurity Services to learn more about emerging threats and the security priorities that demand your attention.