Hundreds of IoT devices connect to enterprise networks, often undetected and without cyber security consideration. Not knowing what is on your network creates a serious threat to your company’s assets and data.
The Internet of Things (IoT) is the driver behind the digital transformation within business. If organizations want to compete in an increasingly digital economy, they have to embrace the technologies of IoT.
With IoT, organizations gain enhanced customer experiences and higher levels of productivity, said Scott Boyd, solutions director of IoT and analytics for ePlus. Many companies are just beginning to recognize the benefits IoT adds.
However, once you commit to IoT in your workplace, you must have a well-defined project plan which includes security as a main building block and not an afterthought. Ignoring security for IoT devices could result in data breaches, financial loss and reputational damage.
Threats and consequences
IoT security became a front-page news item in 2016 when the Mirai botnet — spread through web cameras and other devices — caused distributed denial of service attacks to dozens of websites, making them inaccessible and shutting down e-commerce activity. Researchers recently discovered a new malware called Reaper infecting embedded systems and establishing command and control of IoT devices. This new malware hasn’t been used in attacks yet, explained Lee Waskevich, vice president of security solutions for ePlus, but it could give rise to significant challenges for IoT security in the coming year, simply because of the number of devices out there that could be infected and how quickly the malware could spread across the networks both public and private.
“Also, these devices often aren’t properly segmented on the network, so they are placed in a more trusted location within the organization’s environment,” Waskevich added. “If they were to get compromised, this gives attackers an easier way in to get the data they are after or use the amplification of the IoT scale to cause massive outages.”
Window into the network
While organizations continue to add connected devices, many don’t realize why IoT adds risk. Few, if any, of these devices have security software built in. They are designed for their function first and foremost with risks of connectivity as an afterthought. So, here are these devices — dozens or hundreds of them connected to your network — without any type of security visibility or enforcement.
IoT can be used as a window into the entire network, said Boyd. What kind of insight can these connected devices give you about your overall infrastructure? “It can be incredibly positive in giving you insight to your company’s goals or it can open up an incredible point of risk.”
Unfortunately, hackers who have compromised IoT vulnerabilities have a better view into network activity than internal IT staff. Organizations need to put a greater emphasis on their network visibility to better protect assets and critical information.
Addressing IoT security
IoT devices are often brought on as business functions, sometimes controlled or introduced by third parties, and they don’t fall under IT’s network surveillance.
To protect all the assets accessed by the network, John Maddison, SVP of products and solutions for Fortinet, advised following these three principles:
- Learn what’s on the network. “Learning comes from visibility,” said Maddison, and when you learn what’s there, you can learn what to trust and how to build proper risk profiles.
- Segment. By developing risk assessments, you can then create a segmentation strategy that controls what the device can access.
- Protect everything. Enforce segmentation via continuous monitoring and consistent policy enforcement.
Currently, the most effective security measures for IoT come externally. Improved visibility and segmentation of the network are starting points. An IoT cyber security policy needs to be put in place and adherence to that policy begins at the leadership level and trickles down throughout the entire company.
We haven’t even begun to scratch the surface of the amount of damage that can be done via an IoT-based attack or IoT software exploits. Every day new devices are connected to the company network, knowingly and invisibly, putting the network at greater risk.
“IoT’s security focus has to be on the network,” said Maddison. “And no one can afford to ignore the risks.”