3 Key Questions to Help Address Enterprise IoT Security Risks
By Curtis Simpson
Organizations across all industries are looking to the internet of thing (IoT) to improve efficiency, better understand customers to deliver truly memorable and competitive experiences, improve decision-making, and increase the value of the business. As a direct result, the endpoint ratio is changing at an even faster pace than we may realize, with these unmanaged devices growing more quickly than the PC and mobile revolutions combined. Armis estimated that by 2021, up to 90 percent of enterprise devices will be unagentable.
Similarly, by 2021, 20 percent of all cyberattacks will be executed through the IoT by 2020. Unfortunately, the risk associated with these new unmanaged and IoT devices is also skyrocketing.
Let’s dive into the details behind this rapidly growing risk by answering three key questions.
1. What Is Enterprise IoT?
Core to the movement dubbed the fourth industrial revolution — or Industry 4.0 — enterprise IoT can be described as physical things embedded with computers to help efficiently solve and optimize business opportunities and challenges. Many enterprises will continue to look to the IoT as they protect and claim market share alongside both traditional and nontraditional competitors. Examples of devices that apply to most enterprises across all industries include VOIP phones, office and facility video and security cameras, printers, temperature sensors and controls, smart lighting, smart TVs, vending machines, and more. There are also many IoT applications focused on responding to industry-specific problems and opportunities, such as retail beacons, quality control sensors, vehicle and building refrigeration unit temperature sensors, magnetic resonance imaging (MRI) machines, infusion pumps, automated guided vehicles (AGVs), prototype printers, and more.
These are not consumer-grade devices. These devices are being implemented in a multitude of use cases ranging from employee satisfaction and standard operations to the real-time handling of 24/7, business-critical transactions and manufacturing. As such, they are core to business collaboration and operations today.
2. Why Is Security an Issue for These Devices?
Enterprise IoT devices are computers with operating systems and inherent network capabilities, just like the PCs or servers for which we’ve been managing risk for decades. However, unlike PCs or servers, they have no security. Most of these computers are purpose-built, walled off black boxes. That means security agents often cannot be installed, patching can range from difficult to impossible, and traditional scanning solutions struggle to understand what these computers are, let alone their associated risks or exposures.
These devices are hiding in plain sight and growing at a compound rate of 29 percent annually, according to Armis. On average, these devices now make up over 40 percent of the technology in enterprise environments and are running toward the 90 percent mark mentioned earlier. The solutions we’ve long used to discover traditional computers, assess and manage related exposures and risks, and detect and respond to potential attacks were not designed with unagentable devices in mind. Hackers are more than aware that enterprise IoT is not being monitored or protected at a comparable level to traditional devices and software.
In turn, and as seen on numerous prior occasions with new and evolving risk frontiers, bad actors are already focusing their efforts on this weakest link. Look no further than Microsoft’s report on Strontium, released during Black Hat 2019, to appreciate the investments already being made by bad actors targeting enterprise IoT.
3. Is This Really an Issue?
Let’s begin by answering this question with another question: If an environment is running without the ability to discover at least 40 percent of its traditional PC or server assets, assess each asset’s state of risk, and detect, protect against, and respond to cyberattacks occurring on or through the assets, is this an issue? Most would answer yes without hesitation. We know our PCs and servers are being targeted regularly, and through years of practice and iteration, we are confident in our ability to respond to this challenge. We also know that any delay in execution could allow a cyberattack to occur. We need to look at enterprise IoT from the same perspective and with the same level of criticality if we are to continue to safeguard our operations and brand at a level of efficacy comparable to our current programs.
This should begin with a visibility effort. Understand what you have, what it’s doing, unagentable device exposure levels and whether any such devices are actively compromised. Once you know what you have, you can source the solution that works best for your enterprise.