Despite major IoT attacks last year, and even though most organizations are extremely concerned about getting attacked, the majority are doing nothing to prevent these attacks, according to Arxan's 2017 Study on Mobile and IoT Application Security Report, independently conducted by the Ponemon Institute.
The majority of organizations are instead zeroing in on what is viewed as the biggest threat: Malware. Eighty-four percent of respondents are very concerned about the threat malware poses to mobile apps, while another 66 percent said they're concerned about the threat the virus poses to IoT.
In fact, most organizations are struggling to secure IoT apps, with 58 percent of IT leaders viewing IoT hacking as a bigger threat than mobile.
While it's helpful organizations are recognizing the threat to these devices, it's concerning that most aren't doing anything to prevent them, according to Arxan's Chief Marketing Officer Mandeep Khera.
When these leaders were asked why they're not ramping up security on these devices it boiled down to two reasons: A lack of regulation and the hacks weren't visible, Khera explained.
"Budget is linked to these reasons, but respondents said only if there was a big hack that was visible, they would get on this," Khera said. "I don't understand why this hasn't been done. One hack can cost millions of dollars."
"But if these companies are proactive, it can save thousands of dollars," he added. "I don't know if it's a lack of awareness or just no interest, but companies aren't properly prepared for an attack, and that's just scary."
While it's good news organizations are recognizing the threat -- 79 percent said mobile app usage and 75 percent said IoT apps increased security risk very significantly or significantly -- it's not enough.
Sixty-three percent of respondents aren't confident or have no confidence in their organization's understanding of mobile apps used by employees. Further, 75 percent aren't confident or have no confidence they know all of the IoT apps in the workplace.
There are two major components to consider in the healthcare industry: There's an overlap between a provider asking patients to use a mobile app, it needs to be protected under HIPAA, Khera explained.
"But the bigger issue here are connected IoT devices, like insulin pumps," said Khera. "The consequences are much more severe if it's hacked into, as you're now talking about a potential loss of life. However, we're starting to see a lot more positive movement, not just with guidelines, but also proactive measures to protect these devices."
In the coming year, Khera expects to see more regulations, especially with IoT. Medical devices will be under more scrutiny, as well, especially given the recent updates to FDA guidelines. 2017 will also be a pivotal year for risk regulations.
This year it's likely there will be at least one, if not multiple, major attacks on these devices. Khera explained that while many of these attacks will be financially driven, others are engaging in a proxy war. Hackers will go after low-hanging fruit: IoT fits into this category and are most likely to be hacked.