An enterprise guide to ensuring IoT security
“Security of an Internet of Things (IoT) device will only get worse before it gets better,” says Yotam Gutman. However, organizations can act now with simple measures
The growth of IoT devices in the consumer market has grown exponentially in recent years and this is set to continue with 24 billion internet-connected devices expected to be installed globally by 2020. With this increase comes fears of privacy and sensitive data loss as prominent attacks and security flaws, such as the recent Samsung and Roku smart TV attack, come to the fore. Likewise, as smart cities and enterprises realize the potential of IoT to capture valuable information, attackers are using vulnerable connected devices as entry points to access sensitive data that lies within a network.
“Security of an IoT device will only get worse before it gets better,” believes SecuriThings’ Yotam Gutman speaking to AIIA Network.
“There are so many new devices being connected to the internet every day. With so little security, major catastrophes are bound to happen.”
“Large-scale attacks will make individuals, enterprises and regulators demand better security from IoT service providers”
In the future Gutman believes “large-scale attacks will make individuals, enterprises and regulators demand better security from IoT service providers. In the interim, mature security solutions already exist and could be implemented at scale to mitigate threats once there is awareness and enough budget.”
Enterprise IoT security challenges
Gutman believes there are a number of IoT security challenges facing the enterprise. Predominantly, there is lack of awareness about how to use the security.
“IT people are taught to secure IT systems which have a parameter, IOT devices speak directly to the cloud so it’s a very different environment.”
He also fears there is a belief within some organizations that IoT security will damage the way these devices operate. Similarly, trust between the enterprise and the security provider can sometimes be uncertain.
“People think security vendors might be privy to information collected by the devices."
Furthermore, “Organizations should demand visibility from the service providers that deploy security mechanisms. They should at least provide the ability to see what is going on within devices so if they have been infected, it is possible to disconnect them from the network and wipe them,” Gutman says.
8 steps to safeguarding enterprise IoT security
With the IoT threat landscape widening, Gutman provides tips for enterprises looking to protect their IoT devices and secure systems:
1. Connect only what must be connected
It is the basic rule of “smart” devices - if they don’t need to be open to the internet, then don’t connect them. If a thermostat can operate locally, don’t be tempted to connect it just so that the CEO can check the temperature in an app.
2. Apply basic IT security procedures to IoT security
Manage users’ access to devices, use robust passwords and usernames and never use the devices’ default settings and passwords.
3. Don’t neglect IoT devices installed or managed by 3rd parties
Frequently, enterprises use IoT service providers for installing and operating IoT (such as remote security surveillance monitoring). Such devices can cause privacy and security breaches and need to be monitored, even though they are not technically “owned” by the organization (in this case, the responsibility lies with the IoT service provider).
4. Don’t forget the insider threat
IoT devices can be exploited by insiders to collect sensitive (private) information, so organizations need to employ strict access management and monitor the behavior of users, administrators and technicians.
5. Keep privacy in mind
IoT devices can collect extremely sensitive information; video footage, sound recordings, etc. Deploying an IoT device should be made with privacy and legal concerns in mind.
6. Real time monitoring
Real time monitoring followed by, investigation and remediation: An IoT security solution should allow the organization to identify hacking attempts in real-time, and block or investigate them.
7. Have an IoT breach plan in place
Like IT security, an organization needs to plan for breaches. Unlike IT security, hacking of IoT devices can have real-life implications, so a plan must be made to act swiftly in case of an incident. For example, if an IoT deployment has been infected, should the device be disconnected? Rebooted? Are some devices mission critical and should they remain online until physically replaced?
8. Involve relevant stakeholders in the planning phase
Unlike IT security, which is the responsibility of the CIO/ IT department, IoT involves business, operations, IT infrastructure, physical security (CSO) and other stakeholders, all of which should take part in designing the security solution and protocols.