The Internet of Things (IoT) is everywhere — literally. Growing at a seemingly immeasurable rate among businesses and consumers, these smart devices are super cool now, but what does the future hold in terms of IT and security? I’m not convinced it’s going to be all that rosy when everything is said and done.
Security and the Internet of Things
I’ve always said that if a computer system has an IP address or a URL, then it’s fair game for attack. And while there is a lot of talk around the security of IoT systems, there’s not a ton of incentive for many manufacturers to actually lock things down. Even in cases where built-in security does exist, that doesn’t mean it’s going to mesh well with your enterprise information security program.
Odds are good that IoT systems are not going to be patchable in the same ways as traditional network systems. Ditto for hardening, monitoring, alerting and the myriad other security steps that need to be taken on devices connected to your network. I believe that most organizations are going to end up with a mishmash of disparate devices that enterprise security controls don’t play nicely with, if at all.
This is different than typical workstations, servers and network infrastructure systems in use today. For the most part, those tools are purpose-built, easily managed and eventually replaced with systems that work better. I believe we’re going to see IoT systems hanging around the business network for a much longer period. For these smaller, niche systems, the system life cycle is just not the same.
Whether IoT systems are present in the enterprise, in the home or somewhere in between, they are no doubt going to have an impact on information security in business. Traditional security controls may not work for IoT systems, and they could be creating business risks if left in place. What happens when they’re exploited? Who’s going to be responsible for keeping them in check? If this does indeed become a reality for your organization, what are you going to do?
Making Moves
You can’t afford to wait to act until you end up with countless devices on your network, furthering the complexity of your environment and leading to a “too little, too late” situation. You have to start thinking about how IoT systems are going to be managed or otherwise controlled over the long term. They’re going to show up, and they’re going to create security challenges. Even if it’s sight unseen today, now’s the time to start addressing IoT security. Written policies, technical safeguards for detecting and securing IoT systems and user awareness are three great places to start.
Independent Information Security Consultant
Kevin Beaver is an information security consultant, writer, and professional speaker with Atlanta-based Principle Logic, LLC. With over 29 years of experienc...