Member Article

Protecting IoT in the enterprise

Connected consumer devices have become widespread in smart homes, and they are making their way into enterprises at a rapid rate. However, as manufacturers rush creative concepts to market, security is often an afterthought and these devices can quickly become low hanging fruit for hackers looking for an easy way into corporate networks. Hackers are now able to scan networks for vulnerable devices – often protected with very basic credentials – before uploading malicious code and hijacking said device. While a compromised gadget may pose a challenge on a home network, it can have truly disastrous consequences for businesses as they begin to share, transmit and connect to increasingly valuable data.

A good example of how vulnerable Internet of Things (IoT) devices can be is a recent attack that took place at an unnamed university. In this case, 5,000 IoT devices, including vending machines and light sensors, were hijacked. On their own, they would add little value for hackers, however these devices were connected to the university’s administrative network, which essentially provided access to the university’s entire IT infrastructure. If it had failed to have been spotted in time, the entire campus network could have been brought down.

Managing the endpoint

Monitoring and securing the endpoint continues to be the key solution to managing IoT, as it was with BYOD. IoT is about creating connectivity for a wider range of devices; what we see now with watches and glasses could conceivably extend to any object. In fact, Cisco predicts that there will be 50 billion connected devices worldwide by 2020. With any object offering the capability to send, receive and store data, enterprise data security will need to extend a lot farther than it does now.

IoT can create new efficiencies and productivity in the long-run, however it’s becoming increasingly clear that these new endpoints come with new risks. It’s therefore wise that organisations firstly ensure that every ‘thing’ that is connected to their network is necessary. Does it add value to the business, or is it merely a novelty to have a kettle that turns on remotely? Having separate networks for IoT systems may be the best option if this is the case.

Secondly, research needs to be conducted on those that are creating the internet-enabled devices and objects to ensure that they have adequate security measures in place from a manufacturing standpoint. A full evaluation should be carried out to assess the risks.

Persistence monitoring

As with network security, IoT requires a layered approach to defend against the multitude of risks. Most endpoint devices are poorly protected in comparison with network defences, and often there is little oversight or management of those protections, once installed. IoT requires that organisations have a means to track and monitor all these new devices to secure enterprise data and network access. Policies must be in place that prioritise data security for employees and in the event that a security incident does occur, data needs to be safeguarded and steps must be taken to prevent recurrences of the incident. With GDPR pending, enterprises will soon need to prove that data is protected in a breach situation, so having a persistent connection to each device to prove compliance will be essential.

Richard Henderson, global security strategist, Absolute

This was posted in Bdaily's Members' News section by Absolute .