With the Internet of Things (IoT), what you don’t know can hurt you. So, where to start?
To begin with, it is the familiar story of mass rapid proliferation. Organizations of all sizes are rapidly escalating their use of IoT devices for a wide range of business benefits: to reduce costs, improve operations, leverage big data analytics, accelerate digital transformation or, in most cases, to achieve all of the above.
Research tells us that last year alone there were 7.6 billion IoT devices; IDC expects this number to grow to 41.6 billion by 2025. As an executive, you can’t afford to ignore IoT any longer. You should embrace it as a powerful force for innovation and disruption.
But with its growth, business leaders must also keep their eyes wide open to the risks. IoT can be a potential nightmare if they don’t take the proper steps to build the right cybersecurity foundation and framework.
We have seen how potentially dangerous the expansion of IoT can be without proper cybersecurity safeguards. Palo Alto Networks’ Unit 42 threat intelligence team warned in their 2020 IoT threat report that the healthcare sector is in critical shape due to its equipment running on outdated operating systems. The research also revealed an alarming number of IoT devices are exposed and exploitable. What’s even more worrying is how most (98 percent) IoT device traffic is unencrypted, while 57 percent of IoT devices are vulnerable to medium- or high-severity attacks.
So, what are the essential steps an organization’s CISO and security team must take to ensure an organization can benefit from expanded IoT use while reducing cybersecurity risk?
It is important to acknowledge that complicating the job of security teams is how in many organizations business units are using IoT devices outside of the aegis of either the CISO or even the CIO. Any business unit can now buy IoT devices and it’s unlikely this can be stopped. What CISOs can do is apply a holistic IoT security strategy that can guide business units in buying IoT devices, and thus get visibility into those devices and start securing them from the onset.
Avoid the land mines
The first step to IoT security sounds simple but rarely is in practice. An organization needs to know what types of devices they have and where those devices are all located. My analogy is forgotten land mines. There are more than 110 million land mines in the ground right now, according to estimates and many can’t be removed because nobody knows where they are.
We don’t want IoT devices to be the land mines of the digital future. It is vital that organizations leverage technologies that can identify and account for them, wherever they are located, whenever an organization needs access to IoT data and applications.
According to Palo Alto Networks’ recent The Connected Enterprise: IoT Security Report 2020, IT decision-makers overwhelmingly reported a rise in the number of IoT devices connecting to their networks over the last year, with more than a third (35 percent) reporting a significant increase.
Of course, IoT security goes further than just seeing and locating these billions of devices. It’s also about managing those devices throughout their life cycles. For example, answering critical questions like:
- How can we make sure we can update devices with current security patches, operating systems and other protections as technologies evolve—and as cybercriminals discover new methods of breaking through existing security barriers?
- How can we change passwords on devices in which the passwords may be coded into the hardware?
- How can we track device usage in real time to monitor security risks and ensure that our organization is staying compliant with changing regulatory requirements around the world?
- How can we make sure we can turn off and retire devices when they have been replaced or exceeded their period of usefulness?
These are not idle questions but real issues that business leaders need to know and be reassured that their security teams are addressing now. As the world goes from 14 billion to 20 billion to 25 billion to more than a trillion devices, it will become that much more complicated to identify, manage and protect IoT devices throughout their lifecycles.
Fortunately, help to mitigate IoT cybersecurity risk is available. The National Institute of Standards and Technology is in the process of drafting guidelines for IoT device manufacturers to make their products safer and more secure and has already issued a set of voluntary recommended cybersecurity features to include in network-capable devices.
New technology platforms can help to identify IoT devices and manage them throughout their lifecycles. What’s more, the Open Web Application Security Project (OWASP), has taken a leadership role in helping cybersecurity leaders identify the most common vulnerabilities of IoT devices. Their list provides a guide for cybersecurity professionals to follow, and also gives business leaders a firm basis to pose the right questions to their cybersecurity teams.
The most recent OWASP “Top 10” list of IoT vulnerabilities is:
- Weak, guessable, or hardcoded passwords
- Insecure network services
- Insecure ecosystem interfaces
- Lack of secure update mechanisms
- Use of insecure or outdated components
- Insufficient privacy protection
- Insecure data transfer and storage
- Lack of device management
- Insecure default settings
- Lack of physical hardening
No organization is immune to IoT security challenges, whether it’s in retail, finance, or technology, etc. It is important that business leaders ask the right questions. Where does their organization stack up? If they don’t know themselves, it’s time to start asking their cybersecurity leaders. If they don’t know, it’s time for business leaders to insist that their technology teams get smart about IoT security and support them to secure IoT devices. The challenges around IoT security are growing rapidly in terms of both volume and variety. The future waits for no one and there is no better time to take control like the present.
Sean Duca, Vice President, Chief Security Officer, Asia Pacific and Japan, Palo Alto Networks