Tackling the threat to enterprises (or their service providers) rolling out new IoT services
At its heart, the trouble with IoT is the rush to market exhibited by many manufacturers who see the business need to fill a gap or provide a useful service, but overlook the essential need to bake security in from the get-go.
For individuals adding network-enabled smart TVs, door locks, and fridges to their home networks, says Lee Munson of Comparitech.com, the risks tend to be based around home security and privacy but for the enterprise, the potential issues are far more varied and concerning.
Insecure personal devices and large scale deployments of more commercial devices, such as traffic cameras, will continue to be overtaken by botnets, intent on leveraging their power to cause disruption through huge DDoS attacks.
Less obvious devices, such as those tools used in the home to play music or dim lights via a voice command, will find their way into the enterprise where the chances of them being subpoenaed in a murder case are far less than the opportunity of being abused for corporate espionage.
Immediate concerns would surround more ‘traditional’ data breaches though.
As any information security professional would attest, connecting unprotected devices to an existing network is never a good idea, especially if additional precautions aren’t taken. And, in the case of IoT, the likelihood of that happening is much the same as in the early days of bringing your own device – employees will want to add the latest gadgets, either to make their lives easier or for the wow factor, without considering the consequences.
As a result, the opportunities for an attacker looking to penetrate an otherwise secure network will be greatly enhanced and the number of headaches faced by the security department is only going to rise.
Beyond that, the data collection abilities of IoT devices may also prove concerning for many businesses. With GDPR looming very close on the horizon, data privacy officers will be acutely aware of the need to know what personal information is being collected by the business and how and where it is being stored.
Thus, it is important that every business, whether it is using IoT services as part of its business plan, or on an ad hoc or casual basis, takes the necessary steps to secure them.
Hopefully, the first step will be in demanding secure IoT devices in the first place as this market, and its associated risks, will not change until that becomes a key part of the buying process.
Secondly, risk assessments will need to be undertaken so that vulnerabilities are identified and mitigated in an appropriate manner.
And, lastly, I believe staff needs to be educated on the inherent risks brought about through the use of such technology, both from a security point of view and a privacy standpoint.
The author of this blog is Lee Munson, senior security researcher at Comparitech.com