A number of exciting technological advancements - 5G, Wi-Fi 6, cloud and virtualization of networks, to name a few - are fueling growth in the Internet of Things (IoT) beyond what was imagined even a few years ago. A recent study shows that in 2018, there were almost 18 billion connected devices globally. By 2025, the number of globally connected devices will exceed 34 billion, a compound annual growth rate (CAGR) of 10 percent.
Despite the phenomenal growth expected in IoT devices for both consumers and enterprises, the reality is that fewer than half of companies can detect IoT device breaches. This contrasts with an increased focus on security according to a recent survey of 950 global IT and business decision makers. In fact, spending on protection has grown from 11 percent to 13 percent of IoT budgets, and 90 percent of businesses believe IoT security is a major consideration for customers.
Interestingly, almost 80 percent of those surveyed are calling on governments to intervene by creating more robust guidelines on IoT security. Additionally, almost 60 percent of those surveyed want the government to clarify who’s responsible for protecting IoT. Yet, many governments already are actively addressing IoT security regulations. Most telling is the fact that 95 percent of companies believe uniform IoT regulations should be established, and 95 percent of consumers expect IoT devices to be governed by security regulations.
Without question, IoT holds a number of benefits for enterprises in terms of efficiency, productivity and innovation, and companies can’t afford to indefinitely delay deploying IoT technology. Inaction carries the risk of losing ground to competitors that act more quickly to seize the advantages of IoT.
Yet, unsecured IoT devices leave enterprises vulnerable to data theft, physical damage, revenue loss, reputational damage and more. As such, it’s equally important for enterprises to understand the security issues inherent to IoT and implement measures to protect internal resources, as well as those of employees, customers, vendors and visitors.
Threats to the enterprise
It’s important to understand that in an enterprise, the IoT covers any device that’s connected to the Internet. On an obvious level, this includes traditionally networked devices like computers, laptops and smartphones. But it also includes things like sensor-enabled vending machines, cars and HVAC systems, many of which aren’t managed or monitored by an organization’s IT resources.
When this happens, it’s known as shadowing, or the shadow IoT, and it’s a significant concern. In one 2018 study, 90 percent of enterprises found previously undetected IoT wireless networks separate from their enterprise infrastructure, while 100 percent of the organizations found rogue consumer IoT wireless devices on enterprise networks.
Enterprises are especially vulnerable to shadow IoT devices when they rely on legacy security technologies, because the IoT introduces new operating systems (OSs), protocols and wireless frequencies. As such, outdated security technologies are blind to these rogue IoT devices, and they lack visibility into shadow IoT networks or detection of threats from things like drones and spy cameras.
Also problematic are consumer devices brought into the enterprise by employees, vendors, contractors and visitors, all of whom connect to the network. One survey found the most common consumer devices on enterprise networks are fitness trackers, digital assistants and smart televisions. More than a third of companies in the US, UK and Germany reported more than 5,000 personal devices connecting to the network each day. Employees won’t think twice about using such devices to access social media, download apps, games and films - all while connected to enterprise servers - but in doing so they increase the risks of social engineering hacks, phishing and malware injection in enterprise networks.
Mitigating IoT security threats
Enterprises can take a number of steps to mitigate such IoT security threats. A good start is to determine where the enterprise might be most vulnerable or exposed to attacks on IoT devices. It’s also important to gain a full inventory of IoT devices that are deployed throughout the organization and assess the risk posed by each device to enterprise platforms, networks and cloud integrations.
The next step would be to control access, which can potentially include limiting network access for certain connected objects. Enterprise IT needs to identify the behaviors and activities that are deemed acceptable by connected things within the IoT environment and establish related controls, while at the same time business processes are facilitated, not hindered.
Enterprises also need to consider that IoT devices generally have multiple stakeholders. As such, a successful IoT security plan depends upon collaboration across business units to build multiple layers of security. Additionally, it’s key to develop specific policies that dictate what IoT devices can do, as well as restricting their abilities when necessary. And most importantly, enterprises need a clear strategy to deal with IoT devices that violate policy or behave erratically.
Finally, enterprises should look at security as a step that can actually improve the long-term ROI of their IoT strategy. According to recent research, improving security is key to the success of IoT. Developing a good IoT strategy at the enterprise level protects internal investments and processes and will ensure companies are well suited for next-generation interactions with vendors, customers, employees and other stakeholders.
