Finding and Fixing Blind Spots in Enterprise IoT Security
By Joseph Chukwube
The Internet of Things has been a breakthrough, and adoption rates keep exploding. There are possibly over 20 billion IoT devices in the world, and by 2025, there may have been 75 billion. Even though there has been a rise in smart home devices, most IoT devices are found in businesses, industries, and healthcare. The benefits are overwhelming: from enabling automation of repetitive tasks (both simple and complex), to real-time data insights and analytics, IoT devices make workers more productive, improve customer experience, and reduce operating costs.
However, with the many benefits of IoT devices come serious disadvantages, chief of which is security. Here are some reasons why IoT devices have such serious security risks: For one, IoT devices are created with the primary aim of efficiency, while security takes a back seat. That is why traditional security systems for computers and smartphones such as antivirus software, firewalls, VPNs, etc. don’t work for IoT devices.
According to Zscaler, 83% of IoT-based transactions take place via plain text channels and are very vulnerable to attacks, while only 17% are through SSL. The lack of a security protocol for these devices has created a significant security management gap in many corporations. Without a way to track and secure the many devices in a company, it is only a matter of time before a breach occurs.
These IoT devices have formed a major part of every company’s shadow IT resources, opening the company up to attacks. In 2016, Gartner predicted that a third of attacks against enterprises in 2020 would be through shadow IT resources. Also, the sheer amount of IoT devices used by enterprises is a security risk in itself. With every new ventilation & air conditioning system, video conferencing tool, smart door, security camera, etc. there is one more endpoint that increases the risk of an attack.
Coupled with the interconnectivity of these devices, it is easy to understand how much danger most organizations have exposed themselves to. Most connected devices are unmanaged, yet connected to the company’s central servers, giving hackers a leeway to penetrate their systems. What makes this worse is the fact that most IoT devices work independently of their operators and can connect to the internet and perform basic operations on their own. That means a hacker can – through one device – access the company’s data with no one’s knowledge.
Another disconcerting blind spot in enterprise IoT security is the proliferation of workplaces by consumer smart devices. Most shadow IT devices are actually unauthorized (personal) devices connected to the company’s network, opening the company up to a wide range of vulnerabilities. For instance, an employee connecting his smartwatch to their company’s network might mean no harm, but is, nevertheless, providing leeway for attacks.
Just as technology is improving, hackers are getting smarter with their attack strategies too. Particularly on the rise are ransomware attacks. A hacker can, for instance, ‘kidnap’ an IoT device and prevent it from functioning properly until a ransom is paid. With these many challenges, how then can enterprises improve IoT security?
Proper Auditing – The natural first step is to take an inventory of IoT devices used in the company. While iIt is impossible to secure a device that the IT team doesn’t know exists, there should be proper methodologies to evaluate the company’s IoT ecosystem and test networks to know when something is wrong with the system.
Internet of Things Analytics – Beyond simply identifying devices installed, it is important to understand and map the behavior of these devices via analytics. The algorithm could then identify anomalies and automatically alert the security team to risks or attacks. In this way, IoT analytics also covers predictive maintenance.
Data Encryption – Most IoT devices do not come with security functionalities, but a way to mitigate the attendant risks is to encrypt shared data. Connected devices are so-called because they communicate with each other. By gaining access to one device, an attacker can easily intercept data and breach the network. This is more difficult with end-to-end encryption in place.
Isolate IoT Devices – Unless an IoT device is critical to the business’ core services, it need not be on the same network as other major systems. Isolating IoT devices on network segments reduces the risk of a serious security breach. Even if there is a breach, it would hardly be a major tragedy.
Internet of Things devices are as risky to enterprises as they are beneficial. Securing them differs from securing more traditional devices such as computers and smartphones. A critical action for companies to take is to eliminate shadow IoT devices from office networks while having a system in place to identify and cut off strange traffic. Employees need also be trained in IoT security so that they won’t inadvertently become security risks, especially through their personal smart devices.