The Internet of Things (IoT) has quickly moved from hype to reality and it’s a phenomenon every enterprise now needs to deal with. From smartphones to sensors, the trend for ‘things’ connecting with corporate networks to reach the Internet is here to stay. There are extraordinary benefits to be realised and new opportunities to capture, but this functionality also comes at a price. As more devices connect, networks become more vulnerable. It’s the product of a larger attack surface that needs to be protected and the fact that IoT is still very much in its infancy. On the rise and frequently under the radar, IoT devices are becoming the weak link in corporate networks and in some cases an invisible one too.
IoT is already happening on your network whether you like it or not. The right approach should focus on enabling your organisation to capitalise on the best IoT offers, but protect against the potential threats. Here’s our view of your most likely vulnerabilities:
The volume and variety of devices connecting with your network
Gartner has predicted that 20.4 billion connected ‘things’ will be in use worldwide by 2020! Where the device race started simply with smartphones and laptops, corporate networks are now invaded by tablets, smart watches, health monitors, sensors, asset tags, even virtual reality headsets. You won’t stop the flood of things, but it is essential that you can account for each one on your network and wherever possible ensure they are protected. It’s when devices slip under the radar that the problems occur.
Likewise, procedures and policies need to be put in place to ensure that any personal devices under Bring Your Own Device (BYOD) initiatives or brought along by guests requesting access to the corporate network are always suitably defended. The more endpoints your organisation doesn’t secure, the easier it will be for hackers to exploit you.
Access to data
IoT devices access and generate corporate data, some of it sensitive. Accordingly, they can become high value targets for hackers, especially as data is often not encrypted. Thought needs to be given to your data paths; how data is accessed and held by these devices, even whether they are given permission to connect to corporate networks at all.
With the General Data Protection Regulation (GDPR) imminent, IoT devices have been identified as a particularly dubious area for data protection – data controllers have to report any breaches within 72 hours, and will therefore need to ensure that data contained on IoT devices is visible and protected and plus any consent given by a data subject via an IoT device is traceable.
The recent WannaCry ransomware attack is a good example of an IoT-related cyber breach. Among the worst affected was the NHS, with almost 50 trusts targeted and nearly 70,000 devices exploited, many of which were IoT devices, from storage fridges to operating equipment. The attack took advantage of a vulnerability in a legacy Microsoft operating system (OS), which many organisations had not patched quickly enough. Unfortunately for the NHS, it affected many of their network-connected medical devices also running the same OS. Having gained access through this vulnerability, the virus quickly propagated.
This reluctance to patch is common for IoT devices, as many of them are not deemed important enough to warrant the time it takes, however this needs to be done promptly and regularly in order to ward off attackers.
Your print estate
Corporate printers are seen as one of the biggest IoT risks because of the multiple functions they perform and necessity to be connected to corporate networks. Printers receive confidential and sensitive information from multiple end-points and store this within the device (if only temporarily) ready to be discovered by determined attackers. Think about what you’ve printed or scanned in the past. Addresses? Invoices? Card details? This is exactly the data a cyber attacker wants to get their hands on. According to analyst reports, millions of printers globally could today be at risk of attack from threats like Distributed Denial of Service (DDoS), which is known for targeting IoT devices.
Wearable tech is now commonplace. These things seamlessly connect with available networks and send and receive data including potentially confidential corporate information. Seemingly innocuous they’re a trend to watch, especially as device manufacturers continue to build on their capabilities.
Operational Technologies and Smart Environments
All sorts of operational technologies are making their way onto your network, whether that’s machinery or products used to create smarter working environments such as meeting room schedulers to lightbulbs and thermostats. Remember it might just be a vending machine, and feel removed from ‘real IT’, but being on the network means it is potentially connected with everything else you have. Threats like Botnets exploit these devices and find ways to travel between ‘things’ on your network.
We don’t like to admit it, but people are a major flaw in the success of IoT. The manufacturers who create devices are guilty of not building in ample security measures; the employee who has trouble remembering a tricky password will use an easy one instead; the IT Manager who doesn’t want his team’s time squandered on applying multiple patches delays them – we are each responsible in some way for how IoT is integrated into the enterprise.
It’s also true that there is a distinct lack of education in cybersecurity when it comes to the Internet of Things. Many users are unaware of the extent to which IoT devices are ‘connected’ and as attacks are constantly getting smarter, it’s getting harder to keep on top of all the necessary aspects of IoT security, without contending with careless or bad practice as well.
The Internet of Things can bring truly amazing flexibility and functionality to the modern enterprise, but it is so important to ensure that suitable security measures are enforced within the environment.