Last month, the US National Cyber Security Awareness Month warned that businesses are leaving themselves exposed to new threats if they do not have an IoT-specific security plan.
"Individuals and businesses that adopt IoT should be sure they know how to keep the devices secure, understand what data is being collected and where its being stored, and how to take advantage of any available user controls for the device," said Michael Kaiser, executive director of NCSA.
A growing challenge
Securing connected devices is of growing importance to any CIO. Gartner forecasts 4.9 billion Internet of Things devices will be deployed this year, climbing to 25 billion by 2020. We’ve discussed the dangers of connected devices before: from cybercriminals using manufacturer vulnerabilities inside connected devices as attack vectors to blatant theft of the devices themselves and more.
As enterprise infrastructure becomes increasingly connected, inadequately secured connected end points represent a big opportunity for cybercrime. Juniper Research warns new IoT threats are being reported at an “increasing rate”.
Six security steps
The NCSA suggests CIOs deploying connected devices should follow this procedure:
Before you deploy any IoT devices, make sure all of these are updated to the most recent software and that existing passwords are swapped for stronger self-created passwords. This also extends to any mobile devices that might be used to control your systems (phones, tablets, wearables). These must also be kept up-to-date with the latest security and software packages. Never deploy connected devices that do not enable you to set your own password.
With all those connected devices chatting merrily away on your wireless networks, it becomes imperative to ensure your Wi-Fi routers are secure.
· Use strong passwords
· Name routers and networks in a way that makes them hard to identify as your enterprise assets
· Keep router software up to date
How many connected devices do you already use across your enterprise? Where are they? As you extend your connected device family it will be essential to maintain an inventory of all those you have in place. This inventory should be used as a basis on which to monitor software upgrades, support and manufacturer commitment to future software patches.
IoT is in the early adoption phase. This means some manufacturers are likely to quit the market in the coming years. Given the innate security challenges of connected devices, it’s important to replace solutions if manufacturers cease providing software patches for them, or if they make it impossible to deploy stronger password protection for use of them. (Third-party suppliers are to be blamed for 18 per cent of cyber-security incidents according to a recent survey conducted by Kaspersky Lab.)
IT must understand what information each connected device deployed across the enterprise collects. This also extends to understanding how it is managed, protected and used. In the event this data is stored in the cloud, then the usual security considerations of data integrity, legality and end-to-end security protection in transit must also be considered.
The evolution of CyberSoC shows traditional security solutions such as virus checkers and firewalls aren’t sufficient protection on their own. Within this more complex security environment, the nature of the threat is continuous. “The biggest threat is really a mind-set that security is not something that you do want. Security is a continuous process. There are lots of direct factors, but the minute you solve one, another one pops up,” Red Hat chief architect of IoT, James Kirkland explains.
Read about how traditional approaches to cybersecurity and Identity Access Management need to change to cope with the IoT environment. Or take a look at our security-focused services here.
Jon Evans is a highly experienced technology journalist and editor. He has been writing for a living since 1994. These days you might read his daily regular Computerworld AppleHolic and opinion columns. Jon is also technology editor for men's interest magazine, Calibre Quarterly, and news editor for MacFormat magazine, which is the biggest UK Mac title. He's really interested in the impact of technology on the creative spark at the heart of the human experience. In 2010 he won an American Society of Business Publication Editors (Azbee) Award for his work at Computerworld.