Despite 100s of millions of discoverable IoT devices on the Internet, during our recent research study on exposed IoT devices in enterprise organizations, we found a relatively small number of them among the external-facing enterprise assets in RiskRecon’s dataset. Less than one-twentieth of one percent (0.038%) of all scanned hosts owned by organizations are IoT devices. So, why the discrepancy? The answer is simple; RiskRecon takes care to ensure that hosts they assess belong to organizations rather than to individuals. We infer that the vast majority of discoverable IoT devices detailed in other reports are connected home devices.
There’s a big difference between keeping individual hosts free of security issues and the organization being able to purge issues entirely from their infrastructure. This pattern manifests itself in Figure 1, with roughly 0.5% of organizations having at least one Internet-facing IoT device with detectable security findings. Still a blessedly low value, but not insignificant.
Figure 1: Proportion of organizations exposing insecure IoT devices
Of course, the rates of organizations with IoT findings are likely to vary based on several firmographic factors. And as you might expect, it’s smaller organizations that tend to have more trouble keeping IoT devices from being exposed to the outside world. Below we see that organizations with exposed IoT devices typically have a small digital footprint (median of two Internetfacing hosts). Meanwhile, organizations that do NOT expose IoT devices have nearly 10x the number of hosts comprising their infrastructure and match the overall distribution we see for all organizations.
Figure 2: Size comparison of firms with (red) and without (blue) exposed IoT devices
Below we break down the percent of organizations with IoT findings by industry. Once again, we have to pity education, with a nearly 14x increase in the likelihood of having IoT findings than the base rate of 0.5%. This is unsurprising given the positively byzantine networking environment of most educational institutions. We see a lot of variation across industries, though, with the top performers exhibiting a prevalence of IoT exposure that’s well below the base rate of 0.48%.
Figure 3: Comparison of IoT exposure rates by industry
Stay tuned to our blog where we will continue to dive into the cyber risk posed by exposed IoT devices in the enterprise or download our IoT device study to get the full details on our research.