Are you a CISO, IT manager or even a third party? Does IT support provider in charge of securing a corporate network? Whether you are worried about the impact of the growing IoT or convinced your organization is safe from threat, we recommend you read through this article to ensure you have taken all necessary steps to assess and mitigate your risk.
Let’s start by looking at the scale and the scope of the IoT ‘problem.’
Scoping the Problem
IoT is mostly seen as a good thing for businesses, adding new ways to harness data and using this, often in combination with AI and machine learning, to make processes more efficient all along the supply chain.
However, every new device connected into your corporate network, whether that be a router, heat sensor, camera or even a ‘smart’ coffee machine, expand your attack surface, increasing the chances of a hack or a data leak.
The risks to your organization are compounded by the fact that IoT devices challenge traditional security measures in several ways. For example, they are often:
- Outside of the company’s monitoring strategy
- Left unattended and unmanaged (physically and digitally)
- Impossible to update (the vendors may never update the firmware or software)
- Difficult to update (those that are updatable may lack a UI)
- Not powerful enough to run antivirus or other security software
- Shipped with default passwords
- Unsupported by the vendor
Concerns about hacking aren’t unfounded either. In 2018, a Ponemon Institute survey found that 21% – that’s over a fifth – of companies surveyed had suffered a data breach or cyber attack specifically due to unsecured IoT devices. This figure was up from 16% the previous year.
Now that it should be plain to see what the danger is, let’s turn to the six solutions that you can start implementing immediately.
Solution 1: Take an inventory and run an impact report
You can’t see what you don’t know is there.
That may seem an obvious point, but many organizations fail to take stock of connected devices because they cannot configure or update them. These devices then become part of your ‘shadow IT’ and could even develop into a system within a system.
The first step in accessing these blind spots is to take an inventory and define the absolute boundary of your corporate network. Next, assess each IoT device to uncover what type of data it generates and processes and which corporate networks it connects into. This will help you to create an impact report for each device.
Solution 2: Use network management tools and include all devices
You may not be able to configure or update a machine, but that doesn’t mean you can’t monitor it. You may find that existing network management tools are sufficient to track the signals generated by these assets or you may choose to upgrade your software or use managed security IT services to improve this capability. A good IT consulting firm will be able to talk through different vendor options with you.
Ideally, you should be able to monitor each IoT device in real time and also have the signals it generates processed by a smart system which can recognize its fingerprint and alert you to any anomalies.
By tracking IoT devices in this way, including employee BYO (bring your own) IoT devices, you can also detect and remove any unauthorized devices.
Solution 3: Create a software update management policy
Any devices which can be updated should be added to a company software update management policy. Entries for each device should include who bears responsibility for applying firmware and software updates, how updates will be applied (manually or automatically), how they will be checked and vendor support details. Where devices have a limited support period, plans should be made to upgrade the device once support ends.
Ideally, all IoT devices will be updatable. If you must use a device which can’t be updated, it is particularly important to monitor signals from it to ensure it doesn’t become a weak link into your business’s core systems.
Solution 4: Use Identity and Access Management (IAM)
Most security breaches happen because of human error. To reduce the risk of a catastrophic breach, all employees should only have access to the systems they need to do their work and permissions to perform the tasks they are paid to do. For example, sales reps should probably be unable to access the company’s accounting system while junior members of the accounting team might only be allowed to view and not edit company accounts.
A good IAM system will handle this for you by enabling you to assign individual users to groups and set permissions per group and even per user. Your IAM system should be actively managed with employees moved to different groups when they change roles. When employees leave the company, their user access privileges should be immediately revoked.
Solution 5: Employ User Behavior Analytics (UBA)
In addition to managing user access, you also need to track it. Smart UBA software can monitor user behavior (log-in time, log-in location, systems accessed, tasks carried out, etc.) and use AI-driven pattern recognition to spot any anomalies. So if Jose in accounts usually checks the company accounts once a week on a Friday afternoon, the software will flag it if he starts logging in from a different state on a Monday night.
At the same time, it is good practice to educate genuine users about how to prioritize security when working with devices. They may not understand why it is important to set a password for a new printer, for example as they may be used to printers being harmless one-task devices rather than a potential back door into your corporate IT network. You could even ask them to call in ahead of time if they plan to use devices at unusual times or locations so that your IoT management team can discount the UBA monitoring alerts.
Solution 6: Prioritize IoT Security From the Top Down
Finally, the best way to ensure your IoT devices (and your corporate network) have maximum protection is to ensure everyone, from the CEO down to the front line workers, are made aware of the importance of cybersecurity, the specific risks the IoT brings and the part they play.
A simple router hack was enough to deprive PIR bank in Russia of $1 million but IoT devices can also be used for corporate espionage or even to cause damage by hacktivists or rogue nations.
With the number of IoT devices expected to reach and surpass 10 billion in the next couple of years and over 80% of companies expecting their IoT to be breached during this time, we think it is high time all CISOs acted to properly secure their assets. If they don’t, their reputation and future employability could be on the line as they will be held responsible for any slip-ups.
If this is something that concerns you? The best solution is to take proactive measures to secure your IoT connected devices. Taking the six solutions above will put you in a powerful position to mitigate the upcoming risks while enjoying all the benefits that the IoT will surely bring.
