Securing the Internet of Things is simpler than you think
- 23 November, 2017 10:14
Just about every business wants to benefit from the Internet of Things (IOT), but as with any other disruptive technology, it’s all too easy to go from hype to hysteria. The potential security risks of adding three billion devices to our networks globally each year are huge—so much so that the U.S. government is now pushing for legislation that requires IoT vendors to build security into these devices at the base level.
However, many organisations still haven’t considered these risks, even as they devise Internet of Things strategies that make BYOD security seem like a nice dream of yesteryear.
Fortunately, securing the Internet of Things (at least from a corporate perspective) should prove a relatively straightforward challenge to solve. That’s not to say it will be easy: the sheer potential volume of devices, coupled with vendors’ limited emphasis on security thus far, means IT pros will have to do most of the legwork in protecting their infrastructure.
But that’s nothing especially new, and neither are the methods and processes which IT leaders can apply to keep the Internet of Things from transforming into the Thing from the Black Lagoon.
The more things change…
The risks posed by the Internet of Things will be largely familiar to IT professionals. Exposure of confidential information, interference with data integrity, roadblocks to application availability caused by rogue devices—all these things happened when the very first smartphones entered the workplace environment.
This time, however, it’s not individual executives or employees sneaking devices into the workplace: rapid adoption of the Internet of Things typically comes fully endorsed by the organisation.
I’m afraid that many such initiatives have sacrificed prudence for speed. IoT implementations, even pilot projects, need full security and compliance reviews just like any new technology—but in the race to beat the competition, due process often goes out the window.
This scenario creates substantial risk of devices going rogue, slipping under IT’s radar, and triggering breaches that the business never even saw coming. No IT leader wants to end up in this place, but they can avoid it by returning to first principles of infrastructure management.
Guarding your organisation’s heart
Most of the risks posed by IoT deployments relate to the data at any organisation’s heart: namely, allowing devices to access or alter it without express permission. When installing new IoT hardware, standard data security principles should apply. A robust monitoring system, covering all endpoints of the organisation’s network and systems, will allow IT managers to not only detect these devices but place them under existing security and asset management policies.
Once there, any IoT device’s unwarranted access to mission-critical data or applications should immediately raise a red flag to admins. And no matter how fast IoT devices evolve—and they’re evolving fast indeed—a strong set of policies will address the most critical risks they might pose.
The success of this approach, however, depends on how effectively the entire organisation adheres to its security policies. If certain business departments or individuals aren’t abiding by the basics—things like regular schedules of updates, monitoring, and regular downtime for backups and maintenance—then introducing IoT to the mix is almost certainly going to create significant security issues.
IT managers have a responsibility—somewhat moral, most definitely practical—to object if business leaders want to push any IoT project through without full organisational compliance with standard security practices. Only with rigorous standards for maintenance, and comprehensive monitoring for problems should they occur, can IT guard the organisation’s digital heart—and IT professionals’ reputations with it.
Don’t trust the outsiders…
The same rigour needs to be applied not only to internal processes, but to those of IoT vendors and suppliers as well. In fact, I’d argue that IT managers should straight-out refuse to work with any IoT providers whose platforms and/or encryption measures do not comply with their organisation’s security standards.
With IoT technologies still in their relative infancy, IT leaders must do all they can to safeguard their interests against potentially unscrupulous “cowboy” vendors, whether through watertight user agreements or stringent standards for device maintenance and patching.
The IT team should also conduct their own due diligence by verifying that device credentials are secure by default, or that devices have enough memory to host updates being pushed by the vendor.
Perhaps the best thing any IT leader can do today to secure their IoT projects is their own research. Personally, I’ve become very keen on vetting IoT devices, researching their known vulnerabilities, and even testing them out with my teams to see how durable they are against various attack vectors.
That not only confirms whether our trust in a device or platform vendor is sound—it also gives us far greater confidence in containing a threat should those devices or platforms end up compromised.
We’re still in the frothy phase of the Internet of Things’ hype cycle. I’d say businesses are even more enthusiastic about it than they were with cloud or Big Data at their respective peaks. And the Internet of Things does have huge potential to transform most businesses for the better.
IT leaders just need to keep their wits about them, and apply their basic cybersecurity survival principles, and they’ll be able to avoid their IoT tales of success turning into horror stories.