An ABI Research study from Verizon found that the number of IOT devices is predicted to expand from 1.2 billion devices in 2015 to 5.4 billion connected devices across the globe by 2020. This mountainous level of growth also includes increased security risks.
According to a survey for ISAC’S 2015 IT Risk/Reward Barometer, 72 per cent of security experts said that they don’t feel device manufacturers are implementing sufficient security measures in IOT devices. In addition to this, 73 per cent believe that the current security standards in the industry fail to address IoT specific security concerns.
The results highlight a substantial security risk and the severity of this risk is further highlighted by the assertion that 56 per cent out the sample feel their organisations IT department is not aware of all its connected devices. The complex boundaries between home and office life is raising the stakes and making it even harder for IT to exercise control. One of the first questions many new employees ask when joining an organisation is “how can I connect my mobile phone up to the corporate email?” It increases the connectivity of the organisation, of course and drives enhanced productivity but it also means they are bringing new levels of insecurity into the business.
This is the key challenge that every company today is having to wrestle with, as the Internet of Things continues its onward march. They may decide they want to have a trust-based business model that drives flexibility but they can’t afford for that stance to negatively impact the security of their business.
Organisations should really ask themselves – first, do they allow this expansion of the corporate Internet of Things at all? Second, if they do, what corresponding security do they impose on the individual? The use of personal mobile phones in the office environment is an issue in itself. Most people only use a simple password on their phones and its relatively easy for anyone to replicate them, or effectively socially engineer that person into releasing information they should not.
Equally, once a personal device has become connected to the network and that individual leaves the business, he or she will take those emails and contacts with them. If the business does allow this to happen, there has to be a policy that gives the company rights, if needed, to access that individual’s phone and remove all corporate information. Alternatively, the company will need to employ technology, allowing it to remotely wipe all of the business contents on the phone.
But the threat posed by the Internet of Things extends beyond the simple mobile phone. The potential risks are everywhere. The latest vogue is for connected smart TVs in the company boardroom. The most cutting edge are voice activated but have you stopped to consider the security ramifications? The voice recognition capability is typically on the Internet rather than the device itself so private conversations conducted in the room while the device is on could be being transmitted externally.
Corporate laptops connected up to home networks will almost certainly be subject to less stringent security controls than when used in the office environment and therefore more prone to viruses and phishing attacks. The latest camera phones, computer apps and intelligent personal assistants bring additional concerns.
Get the Balance Right
It’s important to put this in perspective, of course. Movements like home and remote working; BYOD and the Internet of Things have transformed the business environment, bringing enhanced flexibility, operational efficiency and raised productivity. Too many restrictions can stymie those developments, making home working less flexible and productive and negatively impacting morale.
That said, in today’s increasingly Internet of Things enabled age, businesses must put certain ground rules in place to ensure that their security is never compromised. Technology can only go so far but if that technology is open or insecure then you run the risk of letting something onto the network that you really shouldn’t from Internet-enabled cameras to smart TVs to a host of other uncertified devices. Best practice would be to implement technology to prevent any interaction with bad websites and exploited locations, for example. But before you do this, you need to put policies in place.
Any new device plugged into the corporate network should be authorised. Moreover, visitors to the business should only be allowed onto a guest network (which should also be time-limited to prevent repeated use of company resources over time.) Contractors should not be allowed to use their own software, connect and do what they want on you network.
In terms of security, you need to work on the basis that ‘if you don’t know, the answer is no’. The Internet of Things is concentrated on accessibility and high capability, but if you want to make the most of its advantages, you need to remain aware of its risks and don’t fall foul of the hidden dangers.
Mike Simmonds, managing director, Axial Systems
Image source: Shutterstock/Bakhtiar Zein