The internet of things (IoT) is expanding — rapidly. Research from IoT Analytics puts the number of connected IoT devices at over 7 billion as enterprises look to expand their reach, drive better data collection and improve strategic decision-making. But speedy uptake is creating new IoT security concerns, from inherent flaws that put data at risk to the “weaponization” of connected devices. And these risks don’t discriminate: Enterprises just getting started with IoT adoption, looking to expand their current network or looking to get ahead of the curve on connected devices all face similar challenges to manage, monitor and secure IoT environments.

While it’s easy to find gloom-and-doom think pieces on the worrisome state of IoT evolution, it’s harder to track down actionable information on what’s really at stake, who bears responsibility and how companies can embrace end-to-end IoT defense. If you need a solid starting point, continue reading for a practical, purposeful primer on enterprise IoT security.

Unpacking the Internet of Things

Search for “IoT threats” and you’ll find hundreds of the-sky-is-falling security blogs that expound on the pervasive nature of connected device risks. The problem is that most skip the ground floor: What is the internet of things? How does it work? Why does it matter?

At its most basic, the internet of things is “the concept of connecting any device to the internet and to other connected devices.” An IoT platform is then used to collect and manage data from multiple device sensors and deliver business insight.

Typically, IoT devices are limited in scope and functionality: A connected camera is an IoT device because it performs a single function, while a smartphone isn’t — but could be used to power an IoT platform. By aggregating billions of data points in real time across previously inaccessible environments, organizations stand to gain the strategic upper hand when it comes to uncovering key trends, identifying potential problems and enhancing brand value.

There’s massive potential in IoT networks: As noted by Forbes, more than 70 percent of executives say the IoT already delivers increased revenue, and 94 percent expect it to boost profits by 5–15 percent over the next year.

IoT Security — A Tale of Speed and Scale

Cyberattackers aren’t interested in hard-fought battles to compromise corporate networks. This is why phishing attacks are still one of the most prevalent — and profitable — threat vectors. Users remain weak points in enterprise security, making them easy targets for threat actors.

The emerging narrative of IoT security, meanwhile, is shaped by two key forces: speed and scale. As noted by Internet of Business, the rush to deliver market-ready IoT devices means that security is often skipped in favor of functionality, opening the door for botnet and distributed denial-of-service (DDoS)-type attacks that leverage connected (and unprotected) devices. Both device makers and users contribute to this concerning security landscape: As the IoB piece pointed out, just 28 percent of organizations say IoT-specific security strategies are “very important” despite plans to adopt these devices in greater numbers.

The scale of IoT network interaction is also problematic for security. Beyond the traditional requirements of confidentiality, integrity and availability, effectively securing IoT devices demands real-time authentication and authorization. As a result, expanding IoT networks quickly ramp up security complexity, providing opportunities for threat actors to carry out physical attacks such as man-in-the-middle (MitM), network attacks such as spoofing or cloning, software attacks that leverage stolen access credentials, or encryption attacks that target key algorithm implementation.

BYOD 2.0?

While it’s tempting to see IoT security as a unique corporate challenge, it bears striking similarities to another recent IT issue: bring-your-own-device (BYOD). Just like mobile devices leveraging the corporate network, IoT technologies often arrive without corporate vetting or IT oversight. Combined with rapidly improving technical capabilities such as data transfer and interdevice communication, IoT components and their mobile counterparts bear similar risks.

The critical difference is that IoT devices earn their BYOD 2.0 moniker because they’re often hidden in plain sight, either embedded in larger products or flying under the radar as one-off data collecting tools. Recent survey data shows that 48 percent of enterprises can’t detect all connected devices on their network, which creates a paradox: They must protect what they can’t see, even though they’re not sure how to find or secure devices at scale. As a result, just like first-generation BYOD deployments, companies are trying — but often failing — to secure critical IoT networks.

Risk: It’s Your Business

The state of IoT security is constantly evolving, but there’s enough data available to articulate five indisputable facts:

  1. As data accumulates, exposures will increase.
  2. Weak IoT configurations will persist.
  3. Shared secrets won’t stay secret.
  4. Software security will degrade over time.
  5. Devices will operate in both safe and hostile environments.

What does this mean for enterprises looking to safeguard devices and data? That managing risk is now everyone’s business. It starts with device manufacturers and developers building hardware- and software-level security controls by design to reduce potential compromise. Security firmware and software that’s nonexistent (or can’t be updated) is no longer an option.

End users also bear responsibility for sensible operation of IoT devices, which includes controlling access to sensitive data and ensuring account details remain secure. IT administrators, integrators and C-suite executives, meanwhile, must deploy intelligent solutions capable of defending endpoints at scale.

Take a Multilayered Management Approach

There’s no easy fix for end-to-end IoT security. The sheer number of devices, scope of complexity, and speed of adoption makes it difficult for companies to keep pace with emerging threats, let alone get ahead of potential issues. As noted above, IoT risk is now a shared corporate responsibility, but making the leap from conceptual recognition to in-practice efficacy means adopting a new approach: multilayered management.

This requires three key components:

  1. Better blueprintsDesign matters. IoT devices with firmware that can’t be updated or default username/password combinations that can’t be changed are inherently unsafe. By designing IoT technologies and networks around the concept of security — rather than attempting to build it in after the fact — enterprises can establish a security-first IoT framework.
  2. Ongoing integration — IoT devices are at their most vulnerable when they’re beyond IT and user oversight. As a result, companies must prioritize device interoperability, employee education and IoT security integration across existing infosec management programs to maximize visibility.
  3. Proactive protection — The evolving nature of IoT environments demands a proactive approach to device design and security. By anticipating future needs, such as granular data analysis and real-time event tracking, enterprises can drive enhanced IoT value.

Forging a 5G Future

It’s also worth noting the increasing impact of 5G communications on IoT security. While businesses shouldn’t expect widespread 5G rollouts yet, ZDNet noted the benefits of this standard in handling massive data volumes at high transaction rates to significantly boost IoT value. The caveat is that this means more data in transit for attackers to compromise, along with increased traffic bandwidth for IoT-based DDoS attacks. Similar to the IoT itself, 5G is equal parts promising and problematic.

The IoT Takeaway

Just like the internet of things, IoT security is rapidly evolving. Speed and scale conspire to increase attacker efficacy, and safeguarding critical enterprise assets requires a cultural responsibility shift combined with better design, deployment and defensive capabilities.

More from Endpoint

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response. Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats. Signature-Based Antivirus Software Signature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…