2018-06-28
最近的调查结果显示,在使用物联网设备的公司中,近一半遭遇了攻击事件,而且处理这些攻击的成本通常超过传统攻击。
两份独立的研究报告均显示,物联网设备攻击导致46%的受访者遭受了攻击事件。
IDC本月发布的一项调查采访了大约100名IT安全人员、IT运营人员和高管。而另外一项调查是由咨询公司Altman Vilandrie在今年6月份发布的,他们采访了19个国家的大约400名IT高管。
根据Altman Vilandrie的报告,在未来的几年内,保护IoT设备的成本将会增加,甚至高达IT预算的三分之一。绝大多数IDC受访者表示,处理物联网攻击的成本往往超过传统攻击。
根据Altman Vilandrie的报告,在年收入低于4.99亿美元的公司中,物联网攻击导致超过一半的公司面临高达25万美元的经济损失。报告说,这对年收入低于500万美元的公司影响特别大,经济损失约占年收入的13.4%。
同时,调查显示,九家年收入超过50亿美元的公司的损失至少达到2000万美元。
Altman Vilandrie负责人兼报告作者之一的瑞恩�迪恩(Ryan Dean)表示:“在我们的研究样本中,年收入超过50亿美元的公司只有5%。总的来说,最大规模的企业遭受的经济损失可能会有很大的不同,这取决于攻击类型和影响。”
IDC报告显示,将近一半(46%)的调查对象遭遇了物联网设备攻击。
IDC信息安全分析师罗伯特�韦斯特韦尔(Robert Westervelt)表示:“这远远超出了我的预期。IoT还处于初期阶段,我预计这一比例会在10%到20%左右,而不是46%。”
同时,近三分之二(63.5%)的金融服务行业受访者和近一半(47.2%)的医疗行业受访者表示,他们的组织经历了物联网安全事件。
由于绝大多数(93.2%)调查对象依赖于第三方服务机构或厂商(如物联网取证专家)帮助他们修复或评估物联网攻击事件,报告发现70.1%的受访者表示与传统攻击相比,物联网攻击的成本更高。
在两年的调查时间里,46%的Altman受访者表示其物联网设备或网络遭遇了攻击。Altman公司的迪恩表示,他对这一高比例感到很吃惊。
迪恩表示,首席信息安全官(CISO)应该意识到三大物联网安全隐患。首先是缺乏物联网安全投资,这可能会导致物联网攻击。其次是没有意识到物联网攻击不仅会损坏设备及其周围环境,而且还可能导致经济损失、品牌声誉损失和其他损失,如法律费用和争取客户的费用。第三点是,如果CISO不愿意将成熟安全厂商与IoT安全创业公司进行权衡比较,那么他们可能会面临风险。
调查结果显示,将物联网安全纳入IT安全预算的公司更不容易遭遇物联网攻击。
报告显示,超过一半(52%)的受访者表示其组织在两年内没有遭遇物联网攻击,三分之一(33%)表示其IT安全预算涵盖物联网安全。在那些遭受了IoT攻击的公司中,只有20%为IoT设备分配了预算。
迪恩说:“IoT安全投资较少的公司,在本案例中是20%的IT预算,更容易遭受IoT攻击。相反,对IoT安全投资更多的公司,在本案例中是33%的IT预算,更不容易遭到攻击。”
IDC发现,物联网市场虽然年轻,却在快速成熟,40%的受访者表示,他们的公司已经实施了六到十项物联网安全措施。金融服务和医疗机构预测,物联网安全成本将会增加。
IDC的韦斯特维尔特表示,目前IoT安全占IT预算的15%或更少。他指出,随着公司添加端点、网络和Web安全解决方案,他们将需要扩展到物联网环境中。
IDC调查发现,62%的受访者预计IT安全支出将会增加。金融服务和医疗机构预测,他们将会采取安全分析、数据丢失预防和其他传统IT解决方案来减轻物联网风险。
韦斯特维尔特说:“IoT医疗设备使用传感器进行通信,医疗行业的很多IoT安全支出源于需要遵循合规性。”
根据Altman Vilandrie的报告,失去对IoT设备的控制是IT高管购买IoT安全解决方案的主要原因之一。迪恩说,这是由公共安全问题驱动的,例如吉普切诺基的远程控制。
排名第一的是No. 1原因(保护客户信息)和No. 2原因(失去对IoT设备的控制)的组合。在解释为何将这两个原因进行组合时,迪恩表示这样做是为了广泛地反映IT高管需要关注的重要问题。
Altman Vilandrie公司查报告结果显示,一家公司是否遭受了物联网攻击能够影响他们在未来一到两年内购买物联网安全解决方案的决策。
调查发现,在遭受了物联网攻击的企业中,71%将“防御技术”列为他们在未来几年内最想要购买的解决方案。对于尚未遭受物联网攻击的公司而言,最想要购买的IoT安全解决方案是监控和控制产品。
“我们认为,购买‘防御产品’是一种应对型措施,”相关专家表示,“这些受访者已经遭遇了物联网攻击,尚未部署足够的安全防御解决方案。相反地,其他受访者可能已经部署了良好的安全方案,他们更加注重购买‘监控和控制产品’来管理端点和系统。”
《IoT Security Incidents Rampant and Costly》
Internet of Things breaches and security incidents have hit nearly half of the companies that use such devices, and the cost to deal with these attacks is usually more than traditional breaches, according to recent survey results.
In two separate reports, each of the studies found that 46% of respondents report they suffered a security breach or incident as a result of an attack on IoT devices.
One survey, released this month by IDC, queried approximately 100 IT security, IT operations, and other C-level suite executives, while another, released in June by consulting firm Altman Vilandrie & Co., gathered data from approximately 400 IT executives in 19 countries.
Not only are the costs associated with securing IoT devices expected to rise in the coming years but they are also expected to account for as much as of a third of the IT spending budget, according to Altman Vilandrie. The vast majority of IDC survey respondents say the cost to address IoT security incidents and breaches tends to run more than the cost of fixing traditional breaches and incidents.
More than half of the companies with annual revenue of less than $499 million faced up to $250,000 in financial losses as a result of an IoT breach, according to the Altman Vilandrie report. The financial hit was especially hard on companies with annual revenue of less than $5 million, which represents approximately 13.4% of their annual revenue, the report says.
Meanwhile, nine companies that generate $5 billion in annual revenue or more rang up losses of at least $20 million, the survey notes.
"The sample size on the $5 billion-plus companies is only 5% of respondents," says Ryan Dean, a principal with Altman Vilandrie, and one of the authors of the report. "In general, the financial impact on the largest businesses will probably vary greatly depending on the type and impact of the breach."
Nearly half of survey respondents in the IDC report report a security attack on their IoT devices.
"I would have expected it to be much lower," says Robert Westervelt, an information security analyst with IDC. "IoT is still in the early days and I would have expected the results to be around 10% to 20%, not 46%."
Meanwhile, nearly two-thirds (63.5%) of survey respondents in the financial services industry and almost half (47.2%) in the healthcare industry say their organizations experienced an IoT security breach or incident.
Because the vast majority (93.2%) of survey respondents call in third-party services or vendors such as IoT forensic specialists to help them fix or assess an IoT breach or incident, the report finds that 70.1% of respondents say IoT attacks are more costly to deal with compared with traditional breaches or incidents.
Over the course of two years, 46% of survey participants in the Altman report say they encountered an attack or breach of their IoT device or network. Altman's Dean says he is surprised by the high percentage of survey respondents reporting an IoT attack.
The take-away for CISOs should be the recognition of three big potential IoT security risks, says Dean. The first is that the lack of investing in security to address IoT threats can leave an enterprise potentially exposed to such attacks. Another is that failing to realize that an IoT breach and incident can not only potentially damage the device and its surroundings, but it can also result in a loss of revenue, brand reputation, and additional costs such as legal fees and payouts to customers for recalls. And lastly, CISOs face a potential risk if they are not willing to undertake the challenge of weighing mature security vendors against IoT security startups, which may, potentially, offer a more targeted solution to secure this newer form of technology.
Companies that spend a portion of their IT security budget on IoT security are less apt to encounter an IoT breach, according to the survey results.
Of the more than half (52%) of survey respondents whose organizations did not experience an IoT breach in a two-year period, a full third (33%) say they spent some of their IT security dollars on IoT security, according to the report. And for the companies that did get hit with an IoT breach, only 20% say they allocated a portion of the IT security budget to safeguarding IoT devices.
"Companies that are spending less on security, for example 20% in this case, are more likely to have a breach," Dean says. "Conversely, if a business spends more on security, for example 33% in this case, they are less likely to have a breach because they are spending more."
IDC finds the IoT market is not only young but is rapidly maturing, with 40% of survey respondents indicating their companies have undergone six to 10 IoT implementations. In the financial services and healthcare industries, organizations expect IoT security costs to rise from its current level.
IoT security currently comprises 15% or less of IT budgets, IDC's Westervelt says, noting that as companies add end-point, network, and Web security solutions, they will need to extend to an IoT environment.
The IDC survey found 62% of respondents anticipate IT security spending will rise. The financial services and healthcare industries expect security analysis, data loss prevention, and other traditional IT solutions to be used to mitigate IoT risks, according to the IDC report, which was commissioned by Spirent.
"IoT medical devices use sensors to communicate and a lot of the IoT IT security spending in healthcare is driven around regulatory compliance," says Westervelt.
Loss of control over the IoT device was one of the top reasons why IT execs purchase IoT security, according to the Altman Vilandrie report. This is driven by public safety issues, for example, the infamous remote commandeering of a Jeep Cherokee, says Dean.
The top ranking is a combination of both the No. 1 reason, prevention of customer information, and the No. 2 reason, a loss of control over an IoT device. In explaining why the top two reasons were combined, Dean says it was done to broadly reflect the issues that are important to IT executives.
Depending on whether a company suffers an IoT breach or is left unscathed affects their choices of IoT security they wish to buy in the next one to two years, the Altman Vilandrie report finds.
In the survey, 71% of respondents whose companies got hit with an IoT breach listed "defense technology" as what they wanted to snap up within the next couple of years, making it the most sought after IoT security solution among this group. For companies that have yet to suffer from an IoT breach, the top IoT security solution on their list is monitor and control products, according to the report.
"Our interpretation is that the intention to purchase a 'defend' product among the breach segment is indicative of reactionary purchasing," observe Dean. "These respondents would have had a breach in the past and may not have had adequate security 'defense' solutions in place. Conversely, the other segment may have better security proposals in place and be more focused on 'monitoring and controlling' to manage the end points and systems." .
附件:
《IoT Security Incidents Rampant and Costly》--原文.pdf
《IoT Security Incidents Rampant and Costly》--译文.pdf
微信公众号