How to Prevent an IoT Security Disaster

June 7, 2017

Gartner recently estimated that by 2020, the number of Internet-connected objects will increase by 30 times, making the Internet of Things (IoT) a game changer for both businesses and consumers. While the rate of IoT adoption is starting, the security implications are horrifying. A global study conducted by Aruba Networks across more than 3,000 companies found that 84 percent of companies have already experienced some sort of IoT breach. The biggest attack vector was malware, which accounted for almost 50 percent of IoT breaches reported in the survey.

It should come as no surprise that another major vector was human error.

The Internet of Things (IoT) refers to the networking of physical objects that are designed with an IP address for Internet connectivity. These objects communicate with each other and other Internet-enabled devices and systems and have historically been ‘dumb devices’ that stood alone. Today, IoT products span a wide range of devices including cars, refrigerators, medical devices, sensors, home control functions (lights, thermostats), etc.

“Security by design is a mandatory prerequisite to securing the IoT macrocosm, the Dyn attack was just a practice run.”  - James Scott, Sr. Fellow, Institute for Critical Infrastructure Technology

There are several challenges ahead of us on the IoT landscape. First, IoT devices were not designed for security, they were designed for ease of use and accessibility. Second, because these devices are deployed by the end consumer, they install the devices with the default configuration. Last, IoT manufacturers have not given much thought to integrating security into their devices.

Devices that work over the cloud, like printers, web cameras, were not built with security and pose a risk to your business. Businesses that do not keep up with the latest trends will be at the mercy of whatever device a tech-savvy employee brings to work. The problem of Shadow IT, where employees start using new devices and/or cloud-based applications, is a growing issue for businesses. While solutions like Cloud Security Access Brokers offer some relief, here are a few recommendations:

1. Know Your Network

In order to identify and mitigate threats, an organization needs to know what belongs on the network and what doesn’t. For larger organizations, the network is, in essence, a complicated black box that will require a significant amount of effort to understand. The goal is to get an understanding of the environment that is detailed enough to improve your security posture. An organized, methodical approach with regular updates is the best way to get started and maintain your awareness. Understanding your network allows for your IT and cybersecurity folks to identify potential security breaches quicker and to help monitor unknown IoT devices which may be introduced to your network.

2. Develop, Document, and Communicate Policies

As IoT devices are introduced into your network, these devices have the potential to impact mission critical systems and increase exposure to security threats. Developing robust policies takes aim at identifying and adopting best practices that mitigate vulnerabilities. To an employee, it may not be obvious that putting Alexa on their desk to listen to music or watch the news represents a security issue.  But the employee is probably not aware that Alexa records voice recordings in the cloud, which may contain sensitive information that should not be shared. Policies are rarely ahead of technological advances, but they can be encompassing enough to allow avenues for new technology to be introduced in a methodical way.

3. Educate Employees

A recent security survey found that an overwhelming 80 percent of corporate security professionals and IT administrators indicated that "end user carelessness" constituted the biggest security threat to their organizations, surpassing the ever-present peril posed by malware or organized hacker attacks (Source: Ecommerce Times).  Security depends on the people that use your IT systems and applications and rely on a common understanding of the threats and challenges facing IT security.  In many organizations, the users' cavalier attitude toward security was further exacerbated by corporate executives who failed to support their security administrators by enforcing computer security policies.

Not every employee needs to be a security expert, but each employee should understand they have an obligation to act responsibly on the corporate network. There is a happy balance each organization needs to find between requiring annual review and acceptance of terms and conditions of using the network to formal training and education programs. After all, insider threats are still the top risk for enterprises today.  

Click here to subscribe to the blog

Follow @Idenhaus and connect with Hanno on LinkedIn.

By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us

Photo credit: ONR

More News