Firms with exposed IoT have a higher concentration of other security problems

Exposed enterprise IoT devices can be an indicator of security issues to come, with firms sporting exposed devices having a 62% higher density of other security problems, new research shows.

For example, companies with exposed IoT are more than 50% more likely to have email security issues, according to a new report and blog post from the Cyentia Institute and RiskRecon.

But what does that correlation mean for chief information security officers? SC Media spoket o Kelly White, RiskRecon founder and CEO, to find out.

Is it surprising that there’s a correlation between something like IoT exposure and other security issues?

This is something we see time and time again: Where there’s smoke, there’s fire. The data shows that smaller indicators of cybersecurity risk performance, particularly on the negative side are strong indicators of larger problems. And that’s certainly borne itself out in the IoT report where you have a 62%, greater flaw density, observable flaw density and environments where they are operating IoT devices on the internet.

We’ve had other research papers that we’ve put forward, where we see that pattern happen over and over again, whether it’s, if you’re running a MySQL server database on the internet, that’s a strong indicator of having much bigger issues. And something simple, like ‘are you running the latest TLS encryption protocol?’ That’s another indicator of larger issues.

When you say larger issues, is that just in regard to the number of problems, or do the problems actually get worse from there?

The problems get worse from there.

If you have that IoT device, what had to go wrong? Let’s say you had a printer operating on the internet. Well, a lot of things went wrong. You have systems of internal network accessible from the internet, so potentially, you’ve got internet access and firewall policy issues.

Then breaking down why those occurred, there’s much larger problems behind that that led to that occurring, aside from the fact that it’s just a bad idea. If it’s an accident, then geez, you’re not managing your environment and you don’t have effective security…