Igniting a security flame in the unprotected IoT game

Long hailed as a transformative force – with the promise of connecting billions of devices, generating real-time insights and revolutionising industries across the enterprise – the Internet of Things (IoT) was born with a mountain to climb.

The phrase was first coined in 1999 by Kevin Ashton, a computer scientist working at Proctor & Gamble who proposed putting radio-frequency identification (RFID) chips on products to track them through the supply chain. Inserting the then buzzword ‘internet’ into his proposal was simply a way to generate executive attention.

Perhaps, that’s part of the problem.

Because even though attention has continued to escalate in the 26 years since, market enthusiasm hasn’t always translated into business execution.

“The promise of IoT has been there for a long time,” acknowledged Tim Fussell, Founder and CEO of imei, a Sydney-based service provider.

Yet despite this grand vision, the market has largely failed to deliver on its potential. While there are notable success stories, the broader landscape remains fragmented, slow-moving and riddled with unrealised expectations.

“We’ve been looking at developing a viable IoT proposition in market for the past 12-13 years now,” Tim added.

“Whether you’re buying Grid Connect lights from Bunnings or VIP Vision cameras from a security business, there’s such an enormous range of connected devices available in market. But there’s no platform to manage all of those different connected devices – there’s some unique applications available for specific instances but that’s the extent of it.”

Tim’s opening observation strikes at the very heart of the IoT challenge and opportunity conundrum in Australia, and the rest of the world.

Depending on who you ask, the number of connected IoT devices in the market currently totals anywhere from 18.8 billion to 55.7 billion to 75 billion. While the jury is still out on the specific number, there is unilateral agreement that visibility ranks somewhere around the zero mark.

One major reason is complexity. IoT requires seamless integration of hardware, software, networks and data analytics – yet interoperability standards have long remained weak, creating silos that limited scalability.

Security concerns have also further slowed adoption, as organisations hesitate to connect critical infrastructure without robust safeguards.

Consequently, many IoT initiatives have struggled to prove return on investment (ROI), offering data without actionable outcomes, leading to pilot fatigue and abandoned projects.

“We’ve been playing in the IoT space for a long time and our focus has always been on how we can add value to the enterprise,” Tim said.

“We have unearthed much bigger opportunities this year because we now have a very broad view and full visibility over all connected technology in an organisation which then allows us to secure every one of those products and lock everything down if we have to.”

Cracking the connected device code

The catalyst of such a change in market appetite is imei IoT Protect, an xIoT (extended IoT) managed service delivered in partnership with Phosphorus Cybersecurity.

Built on Phosphorus Intelligent Active Discovery, the offering is designed to enable “safe, accurate and rapid” discovery of all xIoT devices on a network, as well as remediating vulnerabilities and ensuring compliance.

As the number of connected IoT devices surges, organisations face growing cyber security threats from the xIoT. These connected devices – from smart lighting and environmental sensors to security cameras and access systems – often go “unmanaged” which in turn, is leaving organisations increasingly “vulnerable”.

“As the number of connected devices continues to explode, so too does the complexity of securing them,” Tim explained. “We aim to give businesses the visibility and control they need to protect their networks and data – without adding operational overhead.”

Running as a fully managed and modular service, imei IoT Protect includes “comprehensive discovery” to identify xIoT devices on an enterprise network.

Automated remediation can fix misconfigurations, replace default credentials and patch vulnerabilities while compliance assurance helps bring xIoT devices into alignment with security policies and standards, undermined by ongoing monitoring and management.

“Together, we’re helping organisations eliminate blind spots and take control of their growing xIoT environments,” added Brett Raphael, President of Global Field Operations at Phosphorus.

Despite the growing adoption of IoT devices, many organisations fail to properly secure them due to a combination of structural, technical and cultural challenges.

Visibility is often a major barrier. IoT devices are often deployed outside central IT processes, creating ‘shadow IoT’ ecosystems that security teams don’t even know exist. Without an accurate inventory, it’s impossible to apply policies, patch vulnerabilities or monitor traffic effectively.

Furthermore, IoT security has historically been an afterthought in design and procurement. Devices frequently ship with weak or hardcoded credentials, lack encryption and have limited capacity for updates.

Organisations tend to prioritise cost, functionality, and rapid deployment over embedded security controls – especially in operational or industrial settings where uptime is critical.

Also, perceived risk is low until an incident occurs. Many organisations underestimate how a compromised camera, printer, or sensor could become a gateway to their entire network. This cultural complacency leaves IoT as one of the weakest links in enterprise security.

“This is a huge market because the risk for the enterprise is now huge,” Tim observed.

“Think about the number of connected devices in any one organisation and how unsecured they are. Businesses are focused on securing desktops and laptops but all of this peripheral technology doesn’t even register on their radar.”

Now add weak or default credentials to the mix, throw in a lack of patching and firmware updates, not forgetting poor network segmentation, insecure data transmission and supply chain and hardware tampering. Plus device proliferation, ‘shadow IoT’ and a lack of built-in security and monitoring.

“I have 21 different applications to control at home, whether that’s air conditioning, smart doors, the garage, video surveillance etc,” Tim continued. “There’s an app to control that and it’s all connected to the network but the list goes on. And that’s just the home environment. Take that into the enterprise.”

According to Tim, xIoT devices account for up to 30% of an organisation’s attack surface. This dramatically increases both the quantity and vulnerability of network-connected assets, making them a disproportionate share of the attack surface compared to their perceived importance.

In response, imei IoT Protect was rolled out as a managed service to help organisations stay ahead of threats with “minimal internal effort” – this is a fast deployment service and is “generally up and running” within two weeks.

“We view this as a game-changer because while IoT device manufacturers offer some form of control mechanism for the customer to control devices, there’s no such platform enabling control of millions of different types of devices,” Tim claimed.

Based on early conversations with a select group of customers, Tim reported strong interest in running proof of concepts (POCs) across a range of industry segments spanning enterprise and government.

“As with any process, it starts with a POC and best understanding the learnings which are unique to each organisation,” he added. “There’s no reason why this wouldn’t be relevant because of the sheer amount of connected technology in any given organisation.

“When we run initial assessments and intelligence exercises to understand what’s on the network, the volume of connected devices is significant and most businesses don’t even realise how many are out there.

“The amount of connected devices with an unknown identity and no password protection is scary – people plug things into the network but don’t take the required steps to secure.”

Much like the market however, responsibility is fragmented. It’s often unclear who owns IoT security – IT, OT, facilities or vendors – leading to gaps in governance and oversight. Security budgets are rarely allocated specifically for IoT, so risks remain unaddressed.

“This certainly impacts multiple functions from the CISO in security to the CIO in operations and then across to areas such as facilities management – including surveillances, door access, microphones etc,” Tim shared.

Founded in 2017, Phosphorus goes to market as a provider of unified and prevention-based security management for xIoT. The platform aims to ensure “comprehensive security” by discovering risks, hardening systems and providing continuous monitoring across all industry sectors.

“Phosphorus is well established in the market and is exactly the type of technology we have been looking to partner with,” Tim noted. “This technology strategically plugs into our service proposition and enables us to deliver a full-service across a range of sectors.”

Knowing when to make a market move

As IoT first came into the public conscious in 1999, at that time Tim was ideating on the creation of imei which launched to the market in late 2000. Less than 12 months apart and in tandem since launch.

“This is the most excited we’ve been since 2007 – the market has been pretty stable and consistent since then,” Tim acknowledged.

“But think about what Apple and Android did to disrupt the smartphone market which was 100% in the hands of BlackBerry. You had dumb phones and the only smartphones that existed were BlackBerry and every organisation around the world had one – until Apple came in, changed gears and offered a much broader proposition.”

For Tim, lessons can be learned from Apple’s emergence and dominance of the smartphone market. IoT has been building for more than decade with that market explosion still bubbling away under the surface, waiting to be fully unleashed.

“Remember when the first iPhone came out and people wanted to use it for work?” Tim asked.

“There was panic as businesses scrambled to figure out how to secure it and how iOS compared to BlackBerry. That created an ‘oh, hang on’ moment when companies realised they didn’t have the right tools to control it and secure it.”

Today, that déjà vu moment has arrived with IoT.

“It’s the same compelling time,” Tim continued. “I can’t think of a more important time or era when organisations should know everything that’s connected to their network which then needs to be secured.”

For a company that has been there, done that and worn the t-shirt on IoT, Tim and his wider leadership team have never been short of reasons to abandon this area of the market. Assign it to the “too hard” basket and move on.

Many organisations have entered IoT filled with enthusiasm before quietly exiting stage left. What’s one more business consigned to the scrapheap?

“We’ve always stayed true to the cause,” Tim countered. “We’ve been in business for 25 years and we’ve always strived to create a unique value proposition that the market continues to want.

“Each year, we acquires many new customers because of the value and service we provide. On the flip side, we haven’t lost a customer during the past 12 months.”

In the context of Net Promoter Score (NPS), imei has recorded a score of 80+ for over 10 consecutive years, a number the business “lives and dies on” from a customer experience standpoint.

“Our customers have to see the value otherwise we won’t do it,” Tim outlined. “The market is forever driving margins down to 1% or 2% on hardware or software but our focus is on service value. Hence our approach to IoT and being deliberate in how we truly capitalise on this opportunity.”