Will the enterprise welcome the Internet of Things?

IoT devices pose a security risk organisations can't afford to ignore.

Just three years ago, the concept of IoT (Internet of Things) was still fresh; people bought devices because they were ‘cool’ or because it seemed that we could improve quality of life with ownership. This area of the market has seen huge growth since then – and IoT has changed - almost any device is available in this new form, from the norm of personal assistants and security cameras to the more diverse, in the form of coffee makers and even umbrellas. 

The general excitement around IoT has led to market consumerisation faster than security standards have kept pace. These devices are small, often simple and built to a budget, which does not always allow for security implementations – and, because of the way they are purchased even those devices with security do not always have it properly configured by the end-user. 

Demand for devices has in many cases pushed prices down to rock bottom, with security typically only a secondary consideration; some manufacturers provide remote access to allow firmware updates, or include only basic security defaults. Placing traditional anti-virus software capabilities on many IoT devices would also require additional hardware and connectivity, in turn increasing production costs. 

Consider this: In 2015 there were over 430 million new pieces of malware discovered – that’s around 13 discoveries per second. To be able to protect against attacks on IoT devices, there needs to be a new security model, which detects and understands malware before it gets to the device; traditional models will not work. 

As a business, there is a responsibility to protect users’ data and network infrastructure – combined, these are what will help drive brand recognition. The reality is that IoT is penetrating the enterprise and companies need protection with the earliest possible warning against different types of malware, especially malware with the potential to infiltrate using IoT devices as a vector. 

Will 2017 be the year we hear of the first attack where IoT is used to steal corporate data? This is a threat that has to be taken seriously, as it is very real - now is the time to consider how to improve process, policy and technology for the safer, more productive use of connected devices. 

Business IoT is common, but it’s personal devices that are really driving this technology trend – we’re buying everything from storage to desktop gadgets, all of which could be brought into work and connected to the network. 

Businesses Use IoT 

There are plenty of valid business use cases for IoT, driving both personal and professional effectiveness. We’re familiar with never-empty IoT coffee machines or network-connected  printers and lighting – but now we’re seeing integrations with scheduling or email allowing IoT-enabled meeting rooms which are available on demand, or tagging assets to enable just-in-time order processes. 

All these devices need network access, and many will require internet access for cloud storage of data and configuration. They will also be connected to the company network, which has the potential of exposing the network – a compromised coffee machine may be frustrating for users needing a caffeine fix, but the breach could also expose the network and corporate data to a targeted attack. 

When we design infrastructure for enterprise IoT, it’s important that these devices are treated as a threat risk from the outset. Whereas a laptop or tablet has layered protection against malware, we may not want to assume that this is the case with IoT devices. It’s critical for users to understand how these devices will access the Internet, what services will be necessary and which are just nice-to-have, and how they will receive updates. We need to remain in control of IoT on the network, and not let IoT take control of the network. 

Personal IoT Devices 

We all love our personal IoT devices; they are fun, they are cool and they are the future. The device itself may be innocuous and sometimes even personally beneficial. However, these devices connect to cloud services and, without the proper security settings, they have the potential to expose a corporate network, providing opportunity for anyone planning a socially-engineered and targeted attack. 

Now is the time to create policies for the use of IoT devices. We cannot afford to be naive about their use - it is happening. People have personal back-up drives, cameras, gaming devices, and fitness devices, so it is critically important to ensure that your business is prepared and protected. You really only have three choices:
 
Ban: Do not allow any use of IoT at work: Unless you are in a government organisation, an air-gapped business, or have never allowed personal electronics, this may not be a practical solution. Banning IoT altogether could drive it further into the shadows. People will use it just outside the office, in the car-park, or in the washroom. And worse, not knowing means not seeing, so a total lack of visibility may be the result. Banning altogether could make you even more vulnerable should an attack occur.  

Ignore: Allow use of IoT with no supervision: This response is equivalent to an ostrich burying its head in the sand – it ignores reality and is highly risky. Allowing the use of any IoT device makes it impossible to track, and in turn, when a breach occurs, it will be difficult to detect. This approach is definitely not recommended. 

Allow: But implement security awareness for users: This will likely be the best response for most enterprises. By implementing good, and regular, security awareness training for users, they become more aware of the risks and better capable of applying a form of security (strong passwords, disabling Internet management). Devices will be visible and protected because they are in plain-sight. There may be devices which are not allowed on the corporate network, but these will be the exception, not the rule. People will come to understand. 

So, to answer the question posed at the start– ‘Will the enterprise welcome connected devices?’ - well, in fact you won’t have a choice as IoT is inevitable. Where you do have a choice is how you protect yourself from those connected devices and ensure that IoT doesn’t equal “Internet of Threats.” 

Image Credit: Bakhtiar Zein / Shutterstock