• Verizon Business has published its latest Mobile Security Index report
• It notes the growing reliance of enterprises on IoT devices and the increasing security risks associated with that trend
• Many companies running ‘critical infrastructure’ operations have already experienced a major IoT-related security incident

It has long been recognised but is now being experienced – internet of things (IoT) devices are incredibly useful to enterprises but they also come with major security challenges and now, according to a new Verizon Business report, they are leading to major security incidents involving critical infrastructure.

This is one of the main takeaways from the B2B service provider’s latest Mobile Security Index report, the findings of which are based on a survey conducted in April this year of 600 professionals responsible for buying, managing and securing mobile devices at companies based in the US, UK and Australia, almost 40% of which have international operations. 

The report contains many interesting insights, but one of the most compelling, and concerning, is the growing security threat associated with the deployment of IoT devices by companies operating critical infrastructure. The report helpfully notes that the US Cybersecurity and Infrastructure Security Agency (CISA) designates 16 industries as critical infrastructure sectors, including communications networks and services, the defence/military sector, energy generation and distribution, nuclear power, government/federal operations, financial services, healthcare, transport, certain subsets of the manufacturing industry and more. The majority, about three-quarters, of the survey respondents are from critical infrastructure sectors. 

Verizon Business found that, across all sectors based on results from all respondents, the proportion of companies suffering security compromises via mobile devices (including smartphones and IoT devices) has risen to 53% in 2023 compared with less than 30% in 2018, when the company published its first Mobile Security Index report. “Some of this increase is related to the expanding attack surface” as companies rely on more mobile devices for their day-to-day operations. That trend has also translated into an increasing perception of the security risk posed by the use of mobile devices, as 85% of respondents say risks from mobile device threats have increased over the past year (of which 27% say that risk has increased significantly). 

In critical infrastructure sectors, 96% of respondents say their companies have some degree of IoT device adoption, the majority of which are regarded as “full-scale deployments” (so not just partial deployments or trials). In the energy and utilities, healthcare and public sector industries, more than 60% of respondents said their IoT deployments are already at full scale. 

But such deployments come with increased security risks, as “IoT devices often have weak security and network connectivity,” according to Verizon Business. “Many IoT security vulnerabilities exist from the time of the device’s manufacture. Many come with weak default passwords… some devices have credentials embedded in firmware, making them impossible to change,” while “others may not use authentication at all,” added the service provider in the report. In addition, IoT devices are designed to use little power and have extremely limited processing capabilities, which means they “can’t run anti-malware programs or encrypt data shared across enterprise networks.” 

Verizon Business adds: “A lack of industry-wide security standards for IoT devices and their communication protocols increases security risks, as does having many devices installed in remote locations where they may be vulnerable to physical tampering.” 

None of this sounds good, right? Especially as “IoT adoption is widespread in critical infrastructure sectors.”

So it’s perhaps no surprise, but still very concerning, that 53% of respondents from critical infrastructure sectors “have experienced significant mobile or IoT device-related security incidents leading to data loss or system downtime,” while 48% of respondents from those sectors “have experienced a major impact due to a security compromise of an IoT device.” 

At the same time, 87% of those same respondents believe a security breach involving mobile and IoT devices “would have a substantial impact on their business,” and 44% of them identify the “integration of mobile and IoT services” as “a daunting security challenge.” 

As you’d expect, Verizon Business is on hand to advise and help, and is encouraging enterprises to ensure that they factor the impact of IoT device use into their security strategies. 

“The industrial internet of things (IIoT) is giving rise to a massive expansion in mobile device technology that goes well beyond phones, tablets and laptops. Enterprise networks now include all sorts of sensors and purpose-built devices that monitor, measure, manage and control commercial tasks and data flow,” noted TJ Fox, senior VP of industrial IoT and automotive at Verizon Business, who goes on to use a word I’ve never encountered before (see if you can spot which one it is…). “IIoT growth brings with it a proportionate need for more knowledge, awareness and IT solutioning [‘Thar she blows, cap’n!’] to ensure the security of those increasingly sophisticated networks. The growing importance that IoT plays in our customer’s technology ecosystem underscores why it should be a component in any sound cybersecurity programme,” added Fox. 

The report also, as you’d expect, includes an AI angle. “Emerging artificial intelligence (AI) technologies are expected to exacerbate the mobile threat landscape, but it also presents opportunities for defence,” according to the service provider. “A striking 77% of respondents anticipate that AI-assisted attacks, such as deepfakes and SMS phishing, are likely to succeed. At the same time, 88% of critical infrastructure respondents acknowledge the growing importance of AI-assisted cybersecurity solutions.”

That sounds like good news for the security services and product sector and yet another steep learning curve for enterprise users…

- Ray Le Maistre, Editorial Director, TelecomTV