Why IoT Incidents hit harder than IT breaches
The price of connectivity
As the world embraces IoT technologies, the associated risks and vulnerabilities become increasingly prominent. Traditional IT incidents and IoT incidents differ not only in their nature but in the full spectrum of costs they impose on organizations. This paper examines these differences in detail, providing an analysis of the often-overlooked expenses specific to IoT incidents. By quantifying the economic impact of IoT security breaches and contrasting them with traditional IT incidents, we underscore the hidden financial repercussions IoT incidents can have across sectors.
Financial ramifications and security gaps
The rapid growth of IoT has transformed industries, promising connectivity, automation and data-driven decision-making. However, these benefits come with considerable risks. Unlike traditional IT systems, which are designed with a significant focus on security and resilience, many IoT devices prioritize functionality, leaving substantial security gaps. When breaches occur, the financial ramifications extend beyond the typical costs associated with IT incidents. This paper delves into these unique financial costs, highlighting why IoT incidents pose a different set of challenges compared to traditional IT security breaches.
Beyond Data, IoT risks exposed
For instance, IBM estimates that the average cost of a data breach is approximately $4.88 million [1], encompassing these primary cost factors. However, traditional IT infrastructure is usually easier to secure due to the presence of standard security solutions and established compliance frameworks.
The financial implication of an a IoT breach is estimated at $195,428. The biggest cost amplifiers are security system complexity, security skills shortage and noncompliance with regulations
Traditional IT incidents, such as data breaches, denial-of-service attacks and ransomware, have well-documented costs. These generally include:
- Direct financial loss: Immediate financial implications, such as ransom payments or lost revenue from service downtime or disruptions.
- Regulatory fines and legal fees: Regulatory compliance bodies impose fines and legal fees often accrue when handling data breaches.
- Operational disruption: Organizations face workflow interruptions, decreasing productivity and impacting profitability.
- Incident response and recovery costs: Costs for technical recovery, remediation, employee overtime and forensic analysis add up.
Unique cost drivers of IoT incidents
IoT incidents, however, introduce additional layers of costs that organizations may not be prepared for. These include:
- Broad attack surface and exposure: The distributed and interconnected nature of IoT devices increases exposure and potential access points for attackers, resulting in larger-scale incidents that can compromise the entire IoT and IT ecosystem.
- Limited control and legacy IoT: Many organizations deploy legacy IoT devices that lack robust security features. These devices often operate on outdated software with known vulnerabilities, leaving them susceptible to exploitation. The limited control over these devices complicates security efforts, necessitating significant resources for upgrades or replacements.
- Physical impact and safety risks: IoT incidents can have tangible physical impacts, especially in critical sectors such as healthcare, industrial IoT, and the Internet of Vehicles (IoV). A security breach could compromise the functionality of life-saving medical devices or autonomous vehicles, potentially endangering lives. Such incidents may lead to costly product recalls, legal liabilities, and reputational damage.
- Complex incident response and forensics: Responding to IoT incidents requires specialized knowledge and tools, as traditional incident response frameworks may not adequately address the unique challenges posed by IoT ecosystems. This complexity can lead to prolonged downtime, higher incident management costs, and difficulties in forensic investigations to determine the root cause of the breach.
- Supply Chain and operational costs: IoT devices are often embedded within intricate supply chains and critical infrastructure systems. A breach in these environments can create costly disruptions, affecting not only the targeted organization but also its partners and customers. The domino effect of such incidents can lead to substantial financial losses and operational inefficiencies.
- Regulatory compliance and liability risks: Regulatory frameworks, such as the EU Cyber Resilience Act (CRA), impose stringent compliance requirements for IoT security. Organizations that fail to adhere to these regulations may face significant fines and legal penalties. The cost of ensuring compliance can be substantial, particularly for organizations with extensive IoT deployments. In Annex I and the obligations set out in Articles 10 and 11 shall be subject to administrative fines of up to 15 000 000 EUR or, if the offender is an undertaking, up to 2.5 % of its total worldwide annual turnover.
- Privacy risks: Since IoT devices often handle personal or sensitive data, any compromise brings privacy-related costs, magnified under laws such as GDPR. The reputational damage from a privacy incident can also erode customer trust and loyalty.
- Low detection and awareness rates: Many organizations struggle with low detection rates of IoT threats, often due to insufficient monitoring and visibility into their IoT environments.
- Complex Supply Chain and unknown firmware risks: The complexity of IoT supply chains introduces unknown risks related to firmware vulnerabilities. Organizations may lack visibility into the security of third-party components, making them vulnerable to attacks that exploit these weaknesses.
Each of these factors adds up to a unique set of costs that traditional IT incidents don’t necessarily entail.
Quantitative Analysis of IoT vs. IT Incidents
Quantifying the cost difference between IoT and IT incidents requires examining incidents in industries where both are prevalent. Consider the healthcare and manufacturing sectors, both of which rely heavily on IoT and IT infrastructure.
- Healthcare: A ransomware attack on an IT system may disrupt patient data, causing delays. But if an IoT-based infusion pump or MRI machine is compromised, the resulting costs include operational disruption, physical damage to equipment, and potential harm to patients. The American Hospital Association (AHA) estimates that healthcare IoT incidents can cost 25-50% more than similar IT incidents due to their direct impact on patient safety.[2]
- Manufacturing: IT incidents in manufacturing typically disrupt networks or steal intellectual property. IoT incidents, however, can bring entire production lines to a halt, costing millions in lost productivity. According to a study by orangematter an average cost of downtime per minute for small businesses is $427 and $9,000 for larger enterprises. If we calculate this to hours, a single hour or downtime costs small businesses roughly $25,620 and industrial environments more than half a million $540,000. [3]
24 x $25,620=$614.880
Figure 1: Average downtime cost per day for Small Businesses
24 x $540,000=$12.5M
Figure 2: Average downtime cost per day for Industrial environments
Total cost of compromised IoT Device = Cost of device replacement or repair+Cost of downtime + Cost of investigation and analysis+Cost of reputation damage + Cost of remediation and recovery+Cost of data recovery + Cost of regulatory fines and legal fees + increased cost of insurance coverage (or impact of lost coverage)
Figure 3: Formula cost of downtime
- Retail and consumer goods: With IoT-enabled Point of Sale (POS) systems, warehouses, and logistics networks, a breach could lead to supply chain disruptions, spoiled goods, or delayed shipments. Compared to IT breaches, these IoT incidents involve recovery efforts beyond cybersecurity measures, often affecting physical logistics and inventory.
IoT Cyber Security Incidents | IT Cyber Security Incidents |
Affect (inter)connected devices in real-time operations | Typically involve traditional endpoints (servers, computers, networks) |
Higher risks due to physical impacts | Focused primarily on data breaches, information loss and service disruption |
Harder to detect, recovery or remediate plus often are several attacks combined | Part of Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP) |
Figure 4: Overview IoT incidents vs IT incidents
The data consistently suggests that IoT incidents incur costs approximately 30-50% higher than traditional IT incidents, largely due to these compounding physical and operational factors.
Case Studies
- Case Study 1 | Mirai Botnet and IoT Infrastructure
The Mirai botnet attack of 2016 harnessed thousands of unsecured IoT devices, causing widespread internet outages. The cost to affected companies included not only revenue loss and DDoS mitigation expenses but also the increased cost of securing vulnerable IoT devices afterward. Companies like Dyn, which experienced massive downtime, faced unexpected recovery costs totaling millions.
- Case Study 2 | Stuxnet and Industrial IoT
The Stuxnet worm compromised industrial control systems, halting production and damaging equipment. The physical impact and equipment replacement costs of such attacks illustrate the severity of IoT breaches in critical infrastructure.
Key Differences in Cost and Mitigation Strategies
Unlike IT incidents, IoT incidents demand specific mitigation strategies. The following approaches are recommended:
- Enhanced monitoring and threat detection: Using AI-powered monitoring tools can identify unusual patterns across IoT networks, minimizing incident response times.
- Regular patching and firmware updates: Due to IoT devices’ limited security measures, regularly patching devices reduces vulnerabilities.
- Implementing a Zero-Tolerance Security Model: A zero-tolerance approach limits IoT devices’ network access, preventing lateral movement if a device is compromised.
- Device hardening: Securing the device at run-time. Making it Zero-Day proof.
Each mitigation strategy may incur costs but can significantly reduce the overall financial impact of a potential IoT incident. Yet 97% of organizations face challenges in securing their IoT and connected products, and 89% said their IoT products have faced cyber attacks in the last 12 months.[4]
Responsibilities vs liabilities
All of this raises the question who should be responsible for an IoT cyber breach or incident? [5]
The growing importance of IoT Security
IoT incidents, though often underestimated, can incur significantly higher costs than traditional IT breaches.
IoT incidents carry a premium due to:
- Operational and physical risks
- Interconnectedness across critical industries
- Regulatory penalties and long-term reputational damage
Investing in stronger IoT cybersecurity measures is crucial to mitigating these premiums
While the latter primarily involves data-related risks, IoT breaches extend to physical damage, operational losses, and regulatory challenges. As IoT adoption continues to grow, businesses must reassess their cyber security spending and risk management practices. Investing in IoT-specific security measures, such as threat detection, patching, and a zero-trust architecture, can help mitigate these costs. Understanding and addressing the full scope of IoT-related risks is not only a cyber security imperative but a financial necessity. As investing in stronger IoT cybersecurity measures is crucial to mitigating these premiums.
[1] https://www.ibm.com/reports/data-breach
[3] https://orangematter.solarwinds.com/2023/07/12/true-cost-of-downtime/
[5] https://www.keyfactor.com/state-of-iot-security-report-2023