IoT is an ever-expanding attack surface about which we have many misconceptions and assumptions but for which we have very few policies, regulations or security. These are devices built for one purpose, not meant to be upgraded and rarely if ever patched. As more devices are enabled to connect and communicate online, in the relentless pursuit of innovation, we’ve put the cart before the horse and failed to construct a framework to effectively control and secure the capability created.
Consider this: over 90% of the data in the world was created over the past two years, and current output is roughly 2.5 quintillion bytes per day. As IoT moves into a range of enterprise environments, driven by consumer demand and BYOD desire, Shadow IT becomes Shadow ET, bringing new challenges and risks that our existing compliance and security don’t address or regulate.
Misconfiguration usurps any benefits of eroding segregation as online exposure of both sensitive data and critical systems increases. Adversaries at all levels have been watching, waiting and are making their moves because ignorance isn’t an excuse – it’s an invitation to exploitation.