According to a new Microsoft study in conjunction with the Ponemon Institute, the Internet of Things and new innovations in operational technology is becoming critical for business, but simultaneously increasing an organization’s cyber risk.
Researchers surveyed more than 600 IT, cybersecurity and OT security experts across the U.S., and found that many organizations are making significant investments in the Internet of Things (IoT) and operational technology (OT), but aren’t updating their security policies to apply to those investments.
The survey shows that 68% of respondents say senior management believes IoT and OT are critical to supporting business innovation and strategic goals, and 65% say senior managers are making IoT and OT projects a priority.
Meanwhile, a disappointing amount said their organizations proceeded with caution due to cybersecurity concerns. According to the research, just 31% of IT security practitioners have slowed, limited, or stopped the adoption of IoT and OT projects due to security concerns.
However, a majority of respondents recognize the security pitfalls of IoT and OT, as 55% say those devices were not designed with security in mind, and 60% say those technologies are the least secure of their technology infrastructure.
“Based on the data, it appears that business interests are currently taking priority over the increased security risks that organizations assume, as they advance their IoT and OT projects,” reads a Microsoft blog on the study. “This puts security and risk leaders in a difficult place and explains why IoT and cyber-physical systems security has become their top concern for the next three to five years.”
The research also showed that IoT and OT devices are increasingly directly connected to the internet, making them targets that can be breached from outside the organization. According to the research, 51% of OT networks are connected to corporate IT networks like SAP and remote access. These devices are no longer segmented away from corporate networks, and Microsoft calls on IT teams to move away from those legacy assumptions.
Meanwhile, 88% of respondents say their organization’s IoT devise are connected to the internet for things like cloud printing services, and 56% say OT devices are connected to the internet for remote access and other purposes.
The threat of IoT and OT devices being compromised has garnered much attention recently, but it is very real, according to the research, as nearly 40% of respondents said they’ve experienced an attack where IoT or OT devices were the actual target or used to conduct broader attacks.
However, securing IoT and OT devices is a challenge, the research shows, as just 29% of respondents have a complete inventory of those devices.
Those that do have a complete inventory have a lot on their hands, as the average number of IoT and OT devices is nearly 9,700. Even more alarming is that 42% say they don’t have the ability to detect vulnerabilities on those devices, and 64% expressed having a low or average level of confidence that those devices are patched and up to date.
When it comes to threat detection, technology experts are having a hard time determining if an IoT devices is compromised, as 61% have low or average confidence in their ability to do so.
In the blog, Microsoft points IT security leaders to its newly announced features for Microsoft Defender for IoT. Announced during the company’s Ignite conference last month, the tool now features agentless monitoring capabilities to help secure IoT devices connected to IT networks including VoIP, printers and smart TVs.
Read the company’s blog for more information on the product and how to secure OT and IoT devices.