The adoption rate of Internet of Things (IoT) devices, sensors, and applications were staggering prior to COVID-19, and it soared even more thanks in part to the work-from-anywhere model so many organizations adopted in response to the pandemic. This doesn’t mean that risk managers should shy away from this growing security risk.

A recent IoT security report from Palo Alto Networks indicates that an estimated 1.1 billion IoT physical security endpoints were deployed in enterprise environments at the end of last year. Another 1.4 billion IoT endpoints were used in enterprise utilities applications last year, and Gartner projects that the total number of IoT endpoints across all enterprise segments will surpass 5.8 billion by the end of this year.

An IoT endpoint refers to the computing device that performs a task or function as part of a connected product or service. Examples of endpoints include industrial control and monitoring systems, thermostats, connected vehicles, and that Apple Watch or Fitbit you may be wearing.

While Palo Alto is in the business of selling cybersecurity solutions (as the last five pages of its report make clear), it’s survey-driven research and guidance on identifying, categorizing, and addressing IoT security risks contains practicable insights regardless of your IoT security vendor preference.

The report distinguishes among different categories IoT security challenges, including:

• Inventory: This is a big one, as Shared Assessments research report on IoT risks (conducted with the Ponemon Institute) confirms. Many companies and third parties continue to struggle to get a firm grip on the number and type of IoT devices connected to their networks.
• Data Volume: Once an organization has an accurate read of its IoT-device inventory, it needs to figure out how to govern the massive amount of data produced by both managed and unmanaged IoT devices.
• Variability: “The sheer diversity of IoT devices in terms of their limitless forms and functions” represents a significant obstacle, according to Palo Alto Networks.
• Operations vs. Security: As IoT security capabilities mature, a tricky conflict often arises: select IoT devices that are deemed critical to core operations also elude a straightforward integration into the existing network architecture, information security program, and protocols.

The report also presents a 5-stage lifecycle approach to IoT security through which:

1) Assets are identified and understood;

2) IoT risks are assessed;

3) Risk reduction policies are applied;

4) Known threats are prevented; and

5) Unknown threats are detected and addressed.

The excellent report concludes with a look at five considerations (each with a spot-on checklist of related functionalities to consider implementing) prospective buyers of IoT security solutions should evaluate.

Additional information on IoT risks:

• Blogpost: 5 Drivers of IoT Risks
• Blogpost: IoT Risk: Bite may be Worse than its Bark
• Blogpost: What Slasher Movies and IoT Security Have in Common: 3 Chilling Realities about IoT Risk
• Blogpost: Is the New Federal IoT Law a Sign?