The internet of things(IoT) represents the continued evolution of technology as more and more of our every day devices become “smart”. Moving forward, we will begin to see everyday items become embedded with sensors, small computers, Bluetooth and Wi-Fi connections which allow them to be programmed to make our lives more productive and efficient.
An example of IoT, would be a coffee pot that begins to brew your morning coffee as soon as you wake up. This would be made possible through your coffee pots built in Wi-Fi capabilities that allow it to communicate with your smartphone though it’s alarm clock app.
However as more of these devices become computerized and accessible to the internet through Wi-Fi, they also become exploitable and susceptible to viruses. This is especially the case for surveillance systems which are transitioning away from closed circuit systems to network connected.
Consumer IoT device manufactures have little consideration for Corporate IT Security
Because of the convenience of IoT Devices, businesses have already begun to incorporate these consumer IoT devices into their network. Unfortunately, Consumer IoT product manufacturers do not have business IT security in mind as they are developing these IoT enabled devices.
Best practices for IoT device security is in its infancy and established industry standards have yet to be developed. A recent study by Hewlett Packard Enterprise’s security unit Fortify discovered that 70 percent of popular consumer IoT devices are easily hackable.
Adding to the difficulty of managing security is the fact that these devices can easily be connected to the network without the need of an IT professional. It could be as simple as a maintenance employee replacing a traditional lightbulb with a smart lightbulb and joining it to the corporate Wi-Fi Network. This means that your IT department isn’t always aware when a IoT device is connected to the network, creating holes in your organizations network security that are difficult to detect and close.
Compromised devices can lead to Stolen data, Sabotage and malicious damage
Furthermore, the vendors installing these IoT enabled devices typically do not understand the risks or potential impact on corporate networks. Hackers are actively looking for these weaknesses and once compromised, sell control/access to these devices (often multiple times over) on the black market. Compromised IoT devices can be used to steal data, spy on your business, cause malicious damage through sabotage, or launch financially motivated attacks like ransomware. In the event information is stolen it is often sold on the blackmarket (also often many times over) to other criminals, foreign governments and corporate spies.
In addition to cyberattacks, exploited IoT devices can be used to physically attack your business. Criminals can tamper with environmental controls such as unlocking doors or over heating your server room, set off fire alarms, disable security cameras and even control medical devices.
Security through established IoT Security Governance
The reality today is that in most corporate networks anyone can bring a device into the office, connect it to the corporate network and no one is the wiser. Asking for authorization and going through a lengthy verification process expensive and is nearly impossible to enforce.
What should your organization do?
- Implement a network infrastructure design that focuses on limiting access or preventing unauthorized devices from connecting to the secure corporate network and segregates device types into separate isolated networks.
- Implement a governance process where due diligence and change management is performed on all vendors, and where permissions and security is scrutinized before granting the device elevated access.
- Implement a network monitoring system that detects foreign devices and alerts IT immediately.