With nearly 25 billion devices making up the Internet of Things (IoT), online-capable devices can be found in nearly every corner of any given business’s daily operations. Organizations implement solutions that automate everything from building operations (e.g., access control, light and temperature and energy use) to manufacturing processes (e.g., inventory systems and tracking). In doing so, however, businesses are also increasing their exposure to risk, oftentimes without even realizing it.
A seemingly unimportant smart device like a refrigerator or an HVAC system may appear to have an inconsequential amount of risk when business operators are evaluating risk at an enterprise level; however, because these devices have “always on” capabilities, they, too, can be compromised in the event of a cyber-attack. Even small, seemingly insignificant devices with online capabilities pose threats and provide opportunities for data exposure and other types of cybercrime. Risks revolve around issues of compliance, ownership of technology and related data, and management of identity and access control.
Because IoT devices are typically networked together, cybercriminals can use some of the less obvious devices to access a business’s critical systems. This setup is reason enough for why businesses must properly evaluate and vet all devices prior to introducing them into their organizations. If a device does not have the required levels of security installed within it then chances are even IT professionals will not be able to upgrade the device to the proper level of security. Businesses should seek alternative solutions instead. Additionally, businesses should ensure the communication between devices on their network is secured properly. This tactic involves learning and assessing how devices operate ordinarily so that organizations can identify situations that exhibit abnormal behavior. It also involves appropriate device/network maintenance and management, including finding and patching vulnerabilities and installing updates.
While it’s true that IoT devices are often networked together, it’s not true that they have to reside (or even should reside) on the same network as the rest of a business’s servers and users. Instead, organizations should—at a minimum—use an internal segmentation firewall to limit IoT access exclusively to Internet-based update services, hosted management applications, and (under strict policy enforcement) monitoring software that lives in the operational environment. This configuration keeps poorly designed/secured IoT devices isolated from a business’s key assets and greatly reduces the risk for an attack in the event those key assets are compromised.
Taking a proactive approach will also benefit businesses when it comes to managing existing and new IoT technology. Organizations should create (and update as necessary) a plan for routinely monitoring all of their IoT devices that includes schedules, responsibilities and required actions (e.g., how often to perform scans, who will patch any discovered vulnerabilities). Similarly, businesses should be proactive about training their employees on data management and proper security practices both from the time employees are hired and throughout their time with the organization. As always, organizations should use best practices when it comes to how much data they are collecting, how they are storing that data and how they are controlling access to it.
Dunbar offers a wide variety of solutions to secure and protect your network. To learn more, visit dunbar2016.app.