The Internet of Things: Convenience vs. Risk

The Internet of Things (IoT) is everywhere.  These convenient devices are in our homes and offices as well as in our pockets.  Along with the convenience they provide there are some security risks associated by using these devices.  There have been a number of known security breaches reported in the news regarding this topic, and those breaches included massive distributed denial-of-service (DDoS) attacks, and botnet hijacking attacks which have caused major disruption to organizations.

What is potentially affected?  All those devices that communicate and can be accessed via the Internet based upon their IP addresses.  That would include traditional office equipment such as copiers, printers, video projectors, and even televisions in reception areas.  Some of the less obvious devices would be climate control, motion detection systems and security lighting systems which are equipped with remote access can be controlled over the Internet. And, don’t forget the smartphones and smartwatches – these personal devices play a role in a company’s security.  These devices create access points and the best way to be secure is to define a policy to put protections in to place.

Many IoT devices are produced with the very basic software, which often can’t be updated.  As people become more aware of risk, some IoT devices are being brought up to current security standards with periodic firmware updates.  It’s a good start, but the majority of internet-ready devices cannot be integrated into the conventional IT hardware or software protections with which companies protect themselves against internet-based attacks. The variety of new internet-ready devices brings a mass of new data traffic to the network that must be managed and secured by IT departments. But it’s complicated by the variety of network protocols used by all of these various device types.  These devices are being used for personal and business and sometimes the lines of use will cross.  The integration of personal devices will pose a security risk simply because more and more attacks on companies are started against individual employees. As an example, if a device is infected with malware or a virus, it can be used to gain traction and then wreak havoc when it connects to the company’s network.  The tricky part is defining who should be responsible for IoT security – however, it is an important step.

The first consideration you need to make is whether or not connecting a particular device will be a large enough benefit to be worth the inherent risks. Depending on the device, an IoT device could be used to spy on you, steal your data, and track your whereabouts. If the device in question directly offers you a helpful, worthwhile utility, it may be worth the risk. If the connected device serves little purpose beyond its novelty, or its purpose could just as easily be managed by a staff member, it is probably best to leave it disconnected.

By taking inventory you have a benchmark as to all the devices that will connect to the Internet.  An organization should evaluate every single device that is added to the network.  Desktops, laptops and servers are generally tested extensively but mobile devices should also be added to the list.  Oftentimes devices are ignored even though they actively communicate over the network, and strict attention should be given to those devices that send data.  It’s very important to set guidelines for the use of IoT devices.  Be sure to define which devices are permitted on the company network and what data exchange with the network or Internet is desired.  The proper security technology will prevent unwanted traffic.

IoT introduces additional complexity for security.  Organizations are advised to monitor the data traffic to and from IoT devices in their network. Perimeter-based solutions are not adequate in today’s IT environment because users and apps can no longer be contained inside a organization’s network, behind a clearly defined protective wall.  Organizations need to evaluate new security concepts that have already proven reliable as workplace tools of mobile employees and remote offices.  For example, a protective shield from the cloud can scan all incoming and outgoing data traffic for malicious code, regardless of the device used.  With cloud solutions, organizations gain control of all internet-based traffic and can actively manage which communications are permitted or should be blocked. This can include preventing the printer from automatically ordering toner and restricting all other devices to a minimum amount of communication on the web. You should also make sure that the environment that you are using an IoT device in is as secure as possible. Making sure that your firmware is updated will ensure that you have the latest security patches and fixes for the various exploits and vulnerabilities that the IoT may present. If possible, this process should be automated so that your IoT devices, as well as your router, are fully updated.  It may also be a good idea to check if your router supports guest networking. With guest networking, you can keep potentially risky IoT devices off of your main business network, protecting its contents.  Organizations should always make sure that passwords are in line with best practices, and that you are not reusing passwords between devices and accounts. Following these guidelines means that even if one of your accounts is comprised, the rest of your accounts are safe behind a different set of credentials.

Ultimately, the best way to keep your organization safe from IoT issues is to establish rules regarding the use of these devices and monitor their permissions. Extending the consideration of whether or not a device needs to be connected, you need to establish if it even needs to be in the office. After all, a smartwatch can offer some business utility, whereas a smart trash can (which does in fact exist) does not.

Monitoring your organization’s network can help you identify if any unapproved devices have made a connection.