The network vulnerabilities hiding in plain sight

null

There is no denying that, for better or worse, the flurry of smart Internet of Things (IoT) devices that have flooded the market over the last decade have fundamentally changed our lives. The lights and speakers in our homes are now controlled from our mobile phones, wearables tell us how many steps we’ve taken in a day and provide our heart rate, and autonomous vehicles have started delivering food from restaurants straight to our front doors. While these advancements are certainly impressive, the ever-growing number of IoT devices has also increased our vulnerability to cyberattacks.

There are now over 8.4 billion smart devices in the world – about a billion more than there are people. This number is set to nearly triple to 20.4 billion by the end of 2020. While a lot of these devices are consumer focused, many will find their way into an enterprise environment, because people naturally take their smartphones with them to work or because companies are encouraging a Bring Your Own Device (BYOD) policy. Overall, 90 per cent of businesses are expecting the number of connected devices to increase in the next two years.

Businesses: a lucrative target

“What is the Wi-Fi password?” It’s one of the first questions guests or new employees often ask. Few companies have a policy in place that regulates how these devices may or may not be used in a professional setting or which devices are allowed to connect to the company network in the first place. This means that network administrators and IT professionals can have a hard time figuring out what devices are actually connected to their network. In fact, 4 out of 5 UK businesses are not confident that they can see every device on their network.

The security implications of this are severe. Every device is an access point to the network and consequently a potential vulnerability to the system. All it takes is for one user to fall victim to a phishing scam or accidentally visit a malicious website for the whole company network to be compromised. Or, even worse, personal devices that may already be infected are brought into work and compromise the network by simply connecting to it. It doesn’t help that most people don’t change the default settings and passwords on their devices, which creates additional vulnerabilities. Unsurprisingly, 54 per cent of IT professionals admit that the security concerns around these connected devices is giving them anxiety.

The threat of an attack on a company network is very real. The UK’s National Cyber Security Centre (NCSC), which was founded in late 2016, observed over 590 major cyber incidents during its first twelve months of operations, with the majority of these attacks being targeted at companies. A business is a particularly lucrative target for cybercriminals, given the sensitive information stored on its network and the fact that, when blackmailed, companies are also far more likely to pay up in order to regain control of their files and restore operations.

We saw this behaviour in action earlier in the year when the WannaCry ransomware compromised thousands of computers across 150 countries and raked in tens of thousands of dollars in ransom. The fact that the attack didn’t spread any further was down to sheer luck. But at that point, many businesses and organisations around the world had already paid up. It comes as no surprise that the NCSC named WannaCry ransomware the biggest security challenge of this year.

While WannaCry may have primarily wreaked havoc on factories, public infrastructure and hospitals, any organisation can be vulnerable to a potential attack. Worryingly, it doesn’t sound like many organisations have learned their lesson and haven’t stepped up their cybersecurity efforts in the aftermath of WannaCry. Despite severely paralysing the UK’s National Health Service for weeks, a new report from Infoblox about cybersecurity in healthcare revealed that only a quarter of healthcare IT professionals in the UK believe that their organisation can’t deal with cyber threats.

Four steps to success

Three out of four companies agree that the rise of connected devices in an enterprise setting create significant security challenges. However, while aware of this challenge, nearly half of IT professionals believe that budget restraints are the biggest barrier that keeps their organisation from being able to put adequate security measures in place. But even in cases where budgets are increased, organisations must ensure that the budget for security around connected devices grows proportionately with the number of devices in the network.

Any company wanting to redefine its network security strategies in the wake of substantial IoT growth should start with the following four steps:

1.       Improve awareness and visibility into IoT devices – Understanding what specific devices are on the network, what operating systems they run and what activities they are undertaking is a crucial first step in getting the house in order. Business can’t defend their networks against threats they can’t see.

2.       Put greater emphasis on compliance – Many companies tolerate an unhealthily high level of risk when it comes to IoT security compliance. Reducing this risk should be a key focus for any company taking security threats seriously. In conjunction with heightening their awareness of these threats, security leaders will become more confident if audited and lower their tolerance of risk.

3.       Centralise management and implementation of IoT devices – Most companies usually manage devices centrally under security operations or IT control. Yet there is often still a disconnect in who specifically is responsible for the configuration and implementation of security procedures. By centralising both the management of these devices and implementation of security procedures, businesses will be much more consistent in how they identify and configure new devices on the network.

4.       Get external expertise – Even if IT budgets are increasing, not every company is in a position to hire dedicated network security managers. Sometimes, businesses simply don’t have the expertise they need to deal with the growing security risks that IoT devices pose. In these situations, it is important that organisations work with trusted partners that allow them to deploy IoT security solutions that can easily and quickly be integrated into existing security systems.

Protecting an enterprise network from cyberattacks and reducing the risk of it being compromised should be an ongoing effort rather than a one-time exercise. But, working with partner organisations to increase awareness of all the devices on a network and implementing a centralised management system that helps ensure compliance is a good starting point for businesses that want to take their network security efforts seriously in today’s hyperconnected world.

Myles Bray, Vice President EMEA, ForeScout
Image Credit: Methodshop / Pixabay