Shadow IoT Devices a Major Concern for Corporate Networks, Infoblox Research Finds
February 2020 by Infoblox
Infoblox Inc. announced new research that exposes the significant threat posed by shadow IoT devices on enterprise networks. The report, titled “What’s Lurking in the Shadows 2020” surveyed 2,650 IT professionals across the US, UK, Germany, Spain, the Netherlands and UAE to understand the state of shadow IoT in modern enterprises.
Shadow IT devices are defined as IoT devices or sensors in active use within an organisation without IT’s knowledge. Shadow IoT devices can be any number of connected technologies including laptops, mobile phones, tablets, fitness trackers or smart home gadgets like voice assistants that are managed outside of the IT department. The survey found that over the past 12 months, a staggering 80% of IT professionals discovered shadow IoT devices connected to their network, and nearly one third (29%) found more than 20.
Interesting findings from the UAE include:
• Over 86% of enterprises in UAE have more than 1,000 devices connected to their corporate networks. Nearly a third of enterprises (30%) have between 5,001 – 10,000 connected devices on their corporate network
• Nearly 70% of respondents in UAE said that on an average day over 1000 non-business provisioned IoT devices like smart watches, voice assistants, tablets, Fitbits etc. connect to the business network
• 92% of enterprises in UAE have a security policy in place for personal IoT devices connected to the corporate network. However only half (50%) of the enterprises surveyed feel their security policy for personal IoT devices is ‘very effective’.
• 90% of enterprises in UAE have varying degrees of concern about shadow IoT devices lurking on remote or branch locations.
• Over a third of respondents in the UAE (34%) mirror the security solution at their branches that they deploy centrally at their headquarters.
• Over a third of respondents in the UAE (35%) said they see OT devices (e.g. HVAC, Video Cameras, MRI machines) as their biggest security concern when it comes to their network security.
• Over 4 in 5 respondents in the UAE (81%) said the network security solutions they plan to deploy in the next 2-3 years are cloud-based functions (e.g. CASB, UEBA, Proxy).
The global report revealed that, in addition to the devices deployed by the IT team, organisations around the world have countless personal devices, such as personal laptops, mobile phones and fitness trackers, connecting to their network. The majority of enterprises (78%) have more than 1,000 devices connected to their corporate networks.
“The amount of shadow IoT devices lurking on networks has reached pandemic proportions, and IT leaders need to act now before the security of their business is seriously compromised,” said Malcolm Murphy, technical director, EMEA at Infoblox.
“Personal IoT devices are easily discoverable by cybercriminals, presenting a weak entry point into the network and posing a serious security risk to the organisation,” he added. “Without a full view of the security policies of the devices connected to their network, IT teams are fighting a losing battle to keep the ever-expanding network perimeter safe.”
Nearly nine in ten IT leaders (89%) were particularly concerned about shadow IoT devices connected to remote or branch locations of the business.
“As workforces evolve to include more remote and branch offices and enterprises continue to go through digital transformations, organisations need to focus on protecting their cloud-hosted services the same way in which they do at their main offices,” the report recommends. “If not, enterprise IT teams will be left in the dark and unable to have visibility over what’s lurking on their networks.”
To manage the security threat posed by shadow IoT devices to the network, 89% of organisations have introduced a security policy for personal IoT devices. While most respondents believe these policies to be effective, levels of confidence range significantly across regions. For example, 58% of IT professionals in the Netherlands feel their security policy for personal IoT devices is very effective, compared to just over a third (34%) of respondents in Spain.
“Whilst it’s great to see many organisations have IoT security policies in place, there’s no point in implementing policies for their own sake if you don’t know what’s really happening on your network,” Murphy said. “Gaining full visibility into connected devices, whether on premises or while roaming, as well as using intelligent systems to detect anomalous and potentially malicious communications to and from the network, can help security teams detect and stop cybercriminals in their tracks.”
Ashraf Sheet, Regional Director Middle East & Africa at Infoblox said, “In the Middle East, awareness of the risk of shadow IoT devices has grown significantly, yet IoT devices remain an open portal for cybercriminals looking to attack a network. It’s clear that regional businesses are prioritizing safety, but they are still bogged down by a lack of skilled staff and the increasing number of shadow devices connecting to their infrastructure. Because of this, network and security professionals must actively manage the threat introduced by shadow devices and integrate new network security solutions.”