As the explosive growth of IoT tech continues; businesses, vendors and consumers all have to confront the issue that the world is more connected than ever before, with potentially gigantic consequences.\nThe central problem with IoT security is that there is no central problem \u2013 IoT is a more complicated stack than traditional IT infrastructure and is much more likely to be made up of hardware and software from different sources.\n+ALSO ON NETWORK WORLD: Review: VMware\u2019s vSAN 6.6 + Configuration errors in Intel workstations being labeled a security hole\nThere are three main areas of IoT security \u2013 devices, network, and back-end. All of them are potential targets, and they all require attention, according to Forrester principal analyst Merritt Maxim. Right now, devices are getting the bulk of the attention \u2013 the huge number of different manufacturers, some of whom haven\u2019t worked very hard to make their products secure, makes device-level IoT security problematic.\n\u201cYou don\u2019t have the Wintel monopoly you have in the desktop world, which makes a more homogeneous environment,\u201d said Maxim. \u201cGenerally [IoT] devices are running embedded Linux or various flavors of that, which creates security blind spots,\u201d since those operatings systems might not be what IT security pros are used to working with.\nWhat\u2019s more, most of the IoT players that are actively focusing on security are approaching it at the network or back-end level \u2013 not on the devices themselves, according to Stacy Crook, IDC\u2019s research director for IoT.\n\u201cThere\u2019s a point to which these guys can get down deep in the device, but they have to figure out how much investment they want to make there because \u2026 there\u2019s so many different device types and different architectures,\u201d she said. \u201cSo they have to figure out how much of their time do they really want to spend.\u201d\nAddressing the threat\nSpecialist security firms are doing their best to keep pace with the changing nature of the IoT security threat. Companies like Pwnie Express \u2013 which got its start making penetration testing devices \u2013 have tried to adapt to the new threat landscape.\n\u201cIn the early days, [test devices] were things like [fake] wall plugs, and they worked harder at making sure they were disguised, since the pen tester didn\u2019t want to make it obvious that the environment was under test,\u201d recounted Matt Williamson, CTO of Pwnie Express.\nThe latest and greatest, however, is a module that sits in a customer\u2019s data center and monitors Wi-Fi, Bluetooth, and a host of other wireless network types for unusual traffic, since the network is a major potential target for malicious hackers.\nYet it can be difficult to focus security efforts, according to Williamson, with different customers worrying about different parts of the network.\n\u201cBecause we\u2019ve got a fairly broad set of things that we cover, it\u2019s tough to put a finger on which ones are more important,\u201d he said. \u201cSome of our customers are more concerned about Bluetooth \u2026 Bluetooth TVs, and so on. Other people are more worried about rogue access points.\u201d\nThese issues aren't unique to IoT, but they're relevant nonetheless \u2013 so much so that Pwnie's corporate focus is squarely on IoT as it applies its pen testing expertise to the increasingly broad array of devices present on corporate networks.\nPolls: IoT Security is a major issue\nThe IT world has, at least, obtained an awareness of the scale of the problem it faces, according to several recent surveys. Pwnie\u2019s 2017 Internet of Evil Things report, which surveyed 800 security professionals, found that fully 84% of respondents said that the Mirai botnet incident \u2013 which saw vast numbers of poorly secured IoT devices, primarily digital security cameras, harnessed into a powerful botnet used in DDoS attacks \u2013 in 2016 had changed their view of IoT security threats. 92% said the problem will remain a major issue.\nPart of the problem seems to be that efforts to address it are still in the early stages \u2013 just 23% of security pros who monitored the connected devices entering their offices said that they scanned them for malicious code, and two-thirds of respondents said they weren\u2019t sure of the total number of connected devices being brought onto their networks.\nA poll of 500 executives conducted by Forbes concurred, finding that respondents ranked IoT as the most important emerging technology, outpacing even robotics and AI. A third of the respondents said that security is the most serious problem facing IoT.\nAccording to Maxim, part of the reason for that is that the consequences of IoT hacking are potentially a lot more serious than those of traditional computer crime \u2013 a 2012 scene from the TV series Homeland, which saw a character die when his pacemaker was hacked is anything but far-fetched, he said.\n\u201cThat\u2019s not a theoretical attack, that\u2019s possible today \u2013 and that\u2019s a different dynamic than the traditional online world, where it\u2019s just about identity theft or payment information for monetary gain,\u201d said Maxim. \u201cIoT hacking can cause potential loss of life.\u201d\nCommon platforms link devices to the backend\nThe traditional way of connecting IoT devices to the back end was with customized platforms, but now a majority \u2013 57% \u2013 of IoT deployments use platforms that can be applied to most deployment scenarios, according to Crook\u2019s research.\nGoogle and Microsoft are raising the profile of this option with their service offerings Google Cloud and Azure IT that provide such platforms.\n\u201cIt\u2019s really the idea about leveraging a common platform to build these IoT applications across different use cases, instead of having to create a custom platform for every single different IoT use case,\u201d she said.\nThere are security ramifications, mostly positive, to the increasing use of these platforms \u2013 Crook\u2019s recent research said that 57% of IoT deployments are using this type of platform \u2013 and most of them center on the edge layer, a new part of the stack that sits between the endpoint devices and the data center. An example would be a hub device that analyzes data and does low-level management of connected devices on a factory floor.\nEdge computing is an important concept for IoT, because many applications \u2013 particularly those that are highly delay-intolerant \u2013 can\u2019t wait for data to make the cycle all the way from the endpoint to the data center and back again before action is taken. Hence, IoT hubs and other devices will take up some of the computational and management slack \u2013 and add an additional place in the stack that security features can be implemented.\n\u201cIncreasingly, [data is] going to be collected at the edge,\u201d said Crook. \u201cIt could be on a factory floor, for instance, and there are going to be more and more of these edge devices collecting data.\u201d\nMore broadly, she added, an IoT platform is an architecture created with security in mind but not as the main focus. There are threat detection capabilities available, but they\u2019re usually sold as add-on services, not as core components of the platform.\n\u201cIoT security is definitely going to be an ecosystem approach,\u201d said Crook. \u201cThe platform providers will work with other security companies on providing full solutions, but I think the platform certainly plays a key role in security.\u201d\nRecommended actions\nThere\u2019s a limited amount of action that most IoT users can take, according to Maxim, but the most important steps at the device level are:\n\nNever using devices with default passwords.\nEnsuring that there\u2019s a way to patch everything \u2013 a device that can\u2019t be patched remotely, once compromised, is now a part of the \u201cInternet of Bricks.\u201d\n\nBut attacks are likely to continue, which could have far-reaching consequences down the road.\n\u201cWe have started to see fines levied against medical device companies and others for privacy violations, so there is some regulatory heat there,\u201d Maxim said. \u201cUnfortunately, we probably need a couple even higher-profile compromises to get to a point where it\u2019s regulated or get the industry to act.\u201d\nIn the future, we may see systems that are more fundamentally security-oriented, according to the CEO of blockchain-based IoT security startup Xage, Duncan Greatwood - who noted that they could look very different than previous-generation technology.\n\u201cPeople make statements like \u2018security is foundational\u2019 and expect polite nodding,\u201d he said. \u201cIt\u2019s a different kind of situation to enterprise security."