The relationship between network security and the Internet of Things (IoT) has never been easy, but it appears to have reached a tipping point.
For some time, one of the primary concerns with IoT has been its impact on network security. This is because a greater number of devices are connecting to the network, resulting in a much higher risk of hackers being able to gain access and do damage. This is not a new issue. What is new is the alarming rate at which consumer-grade IoT devices are being brought into the workplace by end-users, who connect them to corporate networks. They often do this without alerting the IT department, and then seem confused by IT’s concern. ‘Shadow IT’ isn’t going anywhere.
This has left many IT professionals now asking the question, “How can we defend against devices we don’t know exist?”
The true challenges
The issue facing IT professionals is not simply the sheer number of unregulated IoT devices entering the workplace, but also the nature of the devices themselves. Upon close inspection, there are issues in the technological foundations of these devices that lead directly to security holes.
Often, IoT devices, such as wearables, that are brought into the workplace are relatively inexpensive and focus on providing a consumer-targeted user experience, rather than a more robust business use. This means they lack legitimate security features. Generally speaking, consumer-grade security software is not able to fulfil the more advanced demands of a business. So, when these devices enter the workplace, they bring with them security vulnerabilities that can be capitalised upon with relative ease.
Similarly, many consumer-grade IoT devices aren’t engineered to auto-update, and are often left unprotected due to outdated security software that end-users don’t know about. Therefore, we are now beginning to see networks that are configured to identify unapproved devices and shut down the port to remove any potential threat. However, this level of network sophistication requires specialised security professionals that are predominantly seen in larger enterprises. For IT professionals who are not operating in such environments, it is crucial to maintain full visibility of who and what is accessing your network.
Much of the same was said for the influx of smartphones and the rise of BYOD almost ten years ago now. The difference here? Rapid adoption of the IoT typically comes fully endorsed by the organisation. With enterprises across all industries racing to capitalise on the benefits of IoT, many initiatives have sacrificed prudence for speed. This is true for both company deployments and employee devices.
It’s a scenario that creates substantial risk of devices going rogue, slipping under IT’s radar, and triggering breaches that the business never even saw coming.
Staying one step ahead
Given the variety of challenges that IT professionals now face from IoT-enabled devices, it would be fair to assume they are fighting a losing battle. Yes, the list of connecting devices continues to grow and grow, but that doesn’t mean it’s too late to implement an effective strategy to help prevent any further security issues. Below, you will find the best approaches to adopt when building this strategy.
Create a device management policy: A policy that lays out guidelines for IoT device integration and connection to your network will help streamline the managing process.
Devise a vetting process for new devices: For each connecting device type, IT professionals should ask themselves, “Does my organisation want to allow this device on the network?” There may be known vulnerabilities associated with specific devices that you need to be wary of, and there may even be certain devices that require access to secure data that must therefore be prohibited.
Gain full network visibility: It should be a priority to itemise every device that is currently connected to the wireless corporate network, to determine the threat level of each. This task can be aided by a set of comprehensive network management and monitoring tools, which will also provide visibility into who and what is connected to your network, and where and when they connect.
Create owner documents: In the occurrence of a data breach, your resolution time will be significantly improved if you can quickly locate the device and its user. This is best achieved by maintaining owner documents that specify who is responsible for individual devices.
With these records in place, the wider enterprise will benefit from a culture of ownership, making end-users responsible for ensuring that their devices are regularly updated with security software.
Be aware: Perhaps the most overlooked piece of advice I can give to any IT professional amidst the IoT revolution is to simply be aware. Keeping one eye on the current cybercrime landscape will help ensure that you maintain an up-to-date awareness of the methods used by today’s cybercriminals. You will then benefit from knowing exactly what you should be preparing your network for.
Make security a culture: The success of any security strategy depends on how effectively the entire organisation adheres to the policies that IT sets out. The question is, if certain business departments or individuals aren’t abiding by the basics — things like regular schedules of updates, monitoring, and regular downtime for backups and maintenance — then introducing IoT to the mix is almost certainly going to create significant security issues. The big thing here is company-wide education. It’s about making sure everyone not only understands what the policies are but why they exist and the consequences for breaking them.
We’re still at the peak of the IoT hype cycle. Businesses and consumers alike are even more enthusiastic about it than they were with cloud or Big Data at their respective peaks.
Make no mistake, IoT is not going anywhere, and it does have huge potential to transform most businesses for the better - with that comes an increasing number of connected devices. Ensuring that the IoT revolution in your workplace does not lead to security issues is a huge undertaking, but one that is vital to data protection. The approaches outlined above will go a long way in making sure that your management strategy is fit for purpose, leaving your business free to enjoy the benefits of IoT.
Destiny Bertucci, Head Geek at SolarWinds
Image Credit: Everything Possible / Shutterstock