Unthinkable benefits. Unimaginable risks.
Since the term’s first use in 20051, cybercriminals have come to view the Internet of Things as their next frontier.
Every year seems to bring a new set of vulnerabilities. Refrigerators and routers can act in botnets. Webcams can facilitate surveillance. Fitness-tracking wristbands can give access to sensitive company data.
Gartner projects that by 2020, IoT and unauthorized employee devices will attract a third of all cyberattacks.2
The news looks bleak. But it’s not hopeless. The available research is nearly unanimous: the modern organization can achieve substantial IoT security.
This article distills dozens of expert sources down to eight basic recommendations. For a more thorough treatment, please see the GSMA’s series of IoT security standards.
1. Audit your Network
IoT involves far more than just the number and vulnerability of corporate devices. The authors of EY’s 2017-2018 cybersecurity report caution that the “proliferation of devices belonging to employees, customers and suppliers…[can] blur the organization’s perimeter. Organizations must think of themselves as having long and trailing tentacles in every direction.”3
Many companies don’t know the full extent of their IoT exposure. An Infoblox survey found that in one third of corporations, more than 1,000 shadow (unauthorized) IoT devices are connected to the company network on any given day. The IoT devices most frequently connected include fitness trackers (49%), voice assistants (47%), smart TVs (46%), kitchen appliances (33%), and game consoles (30%).
IT executives must define the boundaries of their ecosystem now. And definition begins with information.
Who and what is connecting to your network?
2. Crack Down on Shadow IoT
Shadow IT refers to the informal and unauthorized elements of an IT ecosystem. Shadow IoT indicates the devices that access an organization’s network without administrator knowledge or permission.
Many executives lean towards security training and guidelines as a solution. But trust can be a weakness. Yevgeny Dibrov cautions in the Harvard Business Review that although employees may intend IoT usage for noble ends like productivity, there “is simply no way you can rely on employees to use [IoT devices] within acceptable security guidelines.” Dibrov cites PhishMe research indicating that 80% of employees trained against malware still click on recognizably infected emails.
Network security should depend on regulations, not guidelines. Humans simply cannot bear the lion’s share of your organization’s security. In order to suppress shadow IoT, administrators should either (a) prohibit employees from bringing unsecured devices to work or (b) quarantine them on a separate network.
3. Evaluate Existing Corporate IoT Devices
While wearables and smart speakers usually belong to employees, many smart objects—appliances, televisions, webcams, and thermostats—belong to the company. Executives should catalogue these corporately-owned devices and evaluate each in turn. The FBI advises that administrators carefully “consider whether IoT devices are ideal for their intended purpose.” Where web functionality adds nothing, or where security concerns outweigh it, decision-makers should consider reverting to a ‘dumb’ object.
4. Secure Essential Corporate IoT Devices
Executives will also need to rethink their handling of those IoT devices they deem essential.
a. Change default passwords
Symantec identifies default passwords as “the biggest security weakness for IoT devices.”4 Most IoT devices go from purchase to disposal with default passwords like ‘admin’ intact. Administrators should always, always change default device passwords.
b. Encrypt IoT traffic
According to Gemalto’s IoT security report, fewer than 57% of IT leaders say that their companies encrypt all IoT data. As the authors put it, “This is just not good enough.”5 Organizations should encrypt all traffic between the nodes of your IT ecosystem, regardless of its sensitivity level.
c. Isolate IoT devices or disable connectivity (if possible)
In PSAs from 2015 and 2018, the FBI keeps one recommendation the same: isolate IoT devices on a separate network. This will, of course, not be possible for all devices. A manufacturing firm may want to integrate smart pallet and assembly robot data directly into their ERP solution. But network quarantine can bypass many a headache.
d. Monitor Traffic
Even on an isolated network, transmissions among devices and with the outside world can speak volumes about the hackers targeting your company. HBR’s Dibrov stresses that surveillance is vital: “I’ve seen compromised tablets streaming video from a board room to an undisclosed location,” he says. “Only by identifying its behavior and traffic patterns were we able to see the risk.”
5. Purchase only secure IoT devices
Symantec’s 2017 Internet Security Threat Report identifies three persistent flaws of IoT devices:
1. Security is often not a priority to the device manufacturer.
2. [Devices] typically don’t have built-in mechanisms to receive automatic firmware updates, resulting in vulnerabilities being left unpatched.
3. They are often forgotten about once installed.
Reversed, these concerns become search criteria that executives can use in IoT searches.
a. Does it come from a secure manufacturer?
Symantec’s report refers to security as “often not” a priority. Yet some vendors do prove the exception. Vendors with longstanding lines of traditional computing products do emphasize security more strongly. Such vendors include Apple, Microsoft, Amazon, IBM, and so on. By contrast, vendors whose IoT ventures represent their first foray into computing will likely struggle to provide cybersecure products.
Yet sometimes even established tech firms can’t guarantee security. According to a recent Bloomberg report, the Chinese government ‘seeded’ servers with microchips “not much bigger than a grain of rice.” Among the organizations that purchased these compromised servers were “a major bank, government contractors, and…Apple Inc.”
b. Can it receive security patches and firmware updates?
A device that cannot receive firmware updates is a device that, even if currently secure, cannot remain so. If possible, administrators should strive to purchase only patchable IoT devices. Dibrov refers to a recent episode with Amazon’s Echo products. He and his team found a critical flaw in Echo security and brought it to Amazon. Amazon issued the appropriate patch shortly thereafter.
c. What will keep it from being forgotten?
Corporations should never purchase IoT devices without a defined regimen for monitoring them. Administrators should review network-wide device security on a regular basis. They will need to watch traffic and stay alert for vendor patches.
6. Consider an IoT Security Partnership
“Organizations must be able to see a long term goal” from IoT, write the authors of Gemalto’s IoT Security Report. A strategic “partnership alongside an IoT security specialist then becomes an obvious port of call.” In theory, organizations will reap the greatest benefits from a cybersecurity partner who addresses IoT as one feature in a broader threat landscape, rather than as a solitary concern.
7. Incorporate IoT Security into your Cyberbudgeting Process
A cybersecurity budget requires an accurate understanding of the threat landscape. If IoT devices play a pivotal role in your IT ecosystem, then they should form an equally large feature on your threat landscape. “The IoT is not a collection of passive items,” reiterates EY’s 2017 cy-sec report. Composed of active and constant interaction, the Internet of Things “represents fundamental change.” Corporations must incorporate this new threat into their cyber risk calculus and spend accordingly.
8. Create an incident-response plan and team
Beyond IoT, beyond cybercrime, security of any kind requires planning. The C-Suite should already have both an incident response plan and a handpicked team in place. In the absence of either one, this step should take immediate priority. Larger organizations may choose to create a permanent security center. But every firm needs a plan. Effective yesterday.
1 Federal Trade Commission, “Internet of Things: Privacy and Security in a connected World,” 2015.
2 Cited in Yevgeny Dibrov, “The Internet of Things is Going to Change Everything about Cybersecurity,” HBR, December 18, 2017.
3 EY, 20th Global Information Security Survey 2017-2018, 2017.
4 Symantec, Internet Security Threat Report, April 2017.
5 Gemalto, The State of IoT Security.