Tony Anscombe, Global Security Evangelist, ESET
As technology evolves, so do the challenges presented to network managers. One of the most complex areas, due to the multitude of connectivity options and device types, is the Internet of Things (IoT).
Our workplaces and homes are now being connected with devices and functionality that we never envisioned, increasing the number of connections exponentially. Our homes are becoming like small businesses with 10+ devices, and small businesses are becoming medium sized enterprises. An employee who had a single device a few years ago, most likely has three, maybe four, devices today. And in our offices, we are starting to connect everyday devices such as security cameras, lighting, and maybe even a kettle.
“For Businesses The Advantages Of Connecting Iot Devices May Appear Clear But The Risk Is Still Evolving”
With every connected device, whether in the home or in the office, we add an element of risk that needs consideration, risk assessment, and a network profile of what it can access. Our initial instinct may be that our employee’s homes are not the responsibility of the company, but a vulnerable device on the home network could create an opening for a hacker to connect to a business network. When employees connect company owned devices at home or devices they personally own that a company has approved as a Bring Your Own Device (BYOD) they may potentially be opening the door to a cybercriminal.
According to Gartner IoT, endpoints are estimated to grow at a 32.9 percent from 2015 through 2020. With a total potential install base of 20.4 billion units, managing networks and these new devices is a huge challenge.
The functionality these devices bring is endless, some maybe dumb, while others have resources and intelligence built in as standard.
Connectivity being used is also very varied, WiFi, radio or Bluetooth, again there are many options and each and every one has different considerations from a security perspective.
Many IoT vendors have not considered security, this has been apparent in the recent denial of service attacks and hacks that have taken place. For example, the attack of the Dyn infrastructure in late 2016 denied access to some of the Internet’s most popular websites by making the domain name servers inaccessible. The attack was launched using known vulnerabilities in IoT devices such as webcams and infecting them with malware, creating a network of devices large enough to launch an attack big enough to take out the DNS infrastructure of Dyn. The devices may not even have the ability to be secured due to the lack of security built in at the design stage, and even those that can be secured are still likely to be vulnerable, as the owners may not be aware of the risk or that their device is being abused in this way.
For businesses, the advantages of connecting IoT devices may appear clear, but the risk is still evolving. The connection of more devices to the internet may benefit them with more data and insight into their interaction with customers than ever before. And with increased automation in the workplace, our employees and the business will be better equipped to handle new opportunities and take further the goals of the company.
This raises many questions, but two more prominently than others. “Will connecting the device to the internet deliver the increased insight or automation that is expected and do so cost-effectively?” Secondly, when connecting the device, how will the connection be implemented and managed? The second question raises the key question of “will adding more devices to the company's network increase risk and is this understood by the business and the IT team?”
Cyber criminals are constantly searching and probing hardware, looking for flaws in software to exploit; collecting passwords, company and personal identity data from wherever and whenever they can. Every connected device, whether company-owned or an employee’s personal device being used for work needs to be assessed for benefits and risk. Only then can the business devise whether the benefit outways the risk.
IT departments or outsourced service providers to the small businesses need to be deploying.
Real-Time Discovery, Visibility and Control systems. A lack of network and device visibility should be a top concern, if you don't know what is connected to the internet or not, and if additional security is required, then the whole business maybe at risk. Device discovery is a prerequisite to IoT security.
Three things businesses should consider before connecting a device
Ask the following questions when considering the benefits of connecting a device to the internet:
1. Does the device collect data that will benefit the business? Is the data being shared with external companies, maybe even the manufacturer? Analyzing the data and risk maybe complex, does the business have the facility and resource to do this?
2. Is the return on investment great enough to outweigh the costs and security risks that are being proposed when the device is connected?
3. In a smaller business that has no dedicated IT department, who will implement and manage the device and in a business with dedicated personnel do they have the skill sets needed to understand how to implement the devices in a secure and managed environment?
Founded in 1992 and headquartered in San Diego, California, ESET has been developing industry-leading IT security software and services for businesses and consumers worldwide.