The proliferation of IoT devices, particularly in the workplace, has left businesses with a new set of security challenges to deal with. For any company considering investing in IoT devices, it is important to understand the nature of these challenges and how to address them.
One of the biggest challenges to enterprise IoT adoption is shadow IT. Normally, an organization’s IT department must authenticate and maintain comprehensive visibility over all devices connected to the network. In addition, the large amount of unstructured data that these devices collect broadens the attack surface in the absence of reliable analysis and interpretation.
IoT devices are notorious for data privacy issues, which may serve as an avenue for social engineering and phishing attacks against employees. Other major challenges of IoT devices to enterprise security include ambiguous standards for security and a general lack of security hygiene.
IoT Security Challenges
“You can’t protect what you can’t see,” so the saying goes among cybersecurity professionals. And in recent times, the “what you can’t see” category (in other words, shadow IT) has been growing exponentially. The result is the multiplication of security risks for organizations. Unsanctioned and unmanaged IoT devices are blind spots and increase a company’s vulnerability as well as the attack surface.
In a study involving IT leaders from four countries including the United States and the United Kingdom, 78% reported that more than 1,000 shadow IoT devices were connected to their enterprise network on a typical day. Devices such as fitness trackers, digital assistants, smart TVs, gaming consoles, kitchen appliances (such as office microwaves), smart speakers and so on made up the bulk of shadow IoT devices.
This trend is disconcerting and organizations must take active steps to address the challenge. One way to mitigate these risks is to isolate IoT devices on a separate network from the organization’s main network. Also, the IT department should maintain comprehensive visibility over the cooperate network and strictly enforce the company’s cybersecurity policy regarding connected devices.
IoT devices are massive data churners. By 2025, studies estimate that the 41.6 billion IoT devices in use by then would generate 79.4 zettabytes of data. In addition, by 2025 80% of data worldwide would be unstructured, largely due to the growing proliferation of IoT devices. Unstructured data at such a massive volume creates problems for data analytics by organizations.
The first step to securing unstructured data is to profile the nature of the data and identify the most important and most sensitive assets. The second step is to identify the employees with access to the data and ensure that no one or device can access any data they don’t need. To protect sensitive data, most companies use encryption. But beyond that, there should be an established protocol to track any changes to relevant data to ensure the security and integrity of the data.
Last year, a study revealed that data breaches caused by unsecured IoT devices have increased to 26% from 15% in 2017. Data breaches caused by IoT devices are more serious because these devices can collect more sensitive data. They are innocuous, too, allowing attackers to launch persistent attacks without suspicion. In addition, connected devices are always communicating with other devices across the network. And 91.5% of enterprise IoT communications are in plain text, unsecured from intrusion. A hacker only needs to exploit a vulnerability in the endpoint and intercept the data being passed.
A necessary measure for securing IoT data is end-to-end encryption. It is virtually impossible for a hacker to gain access to encrypted data passed through protected endpoints. Even if the defense fails, the attacker would still be unable to read the data. An “encrypt everything” approach irrespective of the status or storage of data is important for IoT security. In implementing this though, it is important to understand the peculiarities of IoT devices (such as being resource-constrained) and use encryption tools tailored to their unique features. Likewise, don’t ignore effective, traditional technologies such as VPNs; they have proved useful for IoT device security.
IoT Security Standards Gaps
Only recently did the U.S. House of Representatives pass the Internet of Things (IoT) Cybersecurity Improvement Act of 2020 after multiple failed attempts to do so, since 2017. The legislation has not proceeded to the U.S. Senate; however, it hasn’t attracted much attention, since it only focuses on IoT devices owned and controlled by the federal government.
Hence, there is still no national standard regarding cybersecurity of IoT devices specifically, though the FTC has issued certain guidelines for IoT cybersecurity best practices. Some of the recommendations include security by design, employee awareness, access control and regular security patching, among others.
Besides these, individual organizations need to set companywide policies regarding the use of IoT devices and enforce the same among employees. For instance, this checklist by the Internet Society covers key areas for securing consumer-grade IoT devices in the enterprise.
Lack of Security Hygiene
Many of the risks that organizations are exposed to through IoT devices can be mitigated through the implementation of basic security hygiene. Some are highlighted below:
- Only use/grant permission for the use of essential IoT devices. IT departments should be particularly wary about consumer-grade IoT devices making their way into the enterprise.
- Turn off devices, ports, etc., that are not in current use. Unless absolutely necessary for work, no device should be persistently connected.
- Secure passwords by changing the default credentials on devices.
- Update firmware and software regularly. Likewise, remove devices that have reached their end of life and can no longer receive security updates.
Organizations must create a strong cybersecurity culture among their workers. In an enterprise where cybersecurity is considered everyone’s responsibility, everyone would understand and would be more careful about the risks to which they are exposing the company. IoT device security must be taken seriously because attackers particularly prey on their seeming harmlessness of the devices to gain access to the enterprise network and steal data.