IoT Security: The Cold, Hard Truth About Digital Device Defense
With the IoT market on track to reach $800 billion this year and more than 2 billion connected devices already in the wild, it’s no surprise that Internet of Things (IoT) security is now a top priority for cutting-edge enterprises. The challenge? Actually making inroads. While updating stock passwords and improving employee education are helping deflect entry-level attacks, widespread distributed denial-of-service (DDoS) and botnet incidents are on the rise. It begs the question: Is better digital device defense possible, or is IoT insecurity inevitable?
Emerging Issues With IoT Security
Users aren’t certain about IoT. According to Intelligent Transport, recent survey data showed that 90 percent of consumers lack confidence in IoT security, citing concerns about leaked data (60 percent) and compromised personal information (54 percent).
These fears aren’t unfounded. One popular children’s toy uploaded thousands of unencrypted voice recordings — of both adults and children — to a publicly accessible database, as TechCrunch reported. Earlier this year, the data was compromised and ransomed.
Ninety-six percent of organizations, meanwhile, believe that governments aren’t doing enough to regulate the IoT ecosystem, with 67 percent worry that cybercriminals could seize control of their device, according to TechRadar. There’s solid data to support this concern: Last month, a new threat named IoT Reaper used existing IoT flaws to take control of more than 2 million devices worldwide, such as security cameras, network video recorders and digital video recorders. While no large-scale attacks have originated from Reaper, source code analysis indicates the presence of DDoS support, meaning it may only be a matter of time.
Defense of IoT devices has been conflated with securing mobile technologies, such as smartphones and tablets, since they share basic similarities. But occasionally changing passwords isn’t good enough when access to Internet-connected sensors could give actors complete freedom to roam corporate networks.
The typical mantra of better employee training also falls flat, since just 14 percent of users and enterprises describe themselves as “knowledgeable” about IoT security, meaning there’s often confusion at both the top and bottom ends of an organization about how to effectively safeguard IoT networks. Add in the lack of standardization — some manufacturers now build in native security, while others argue that end users are responsible for securing devices — and it’s no surprise that IoT offerings are both compelling for enterprise efficiency and terrifying for their role in potential compromise.
Building a Better Mousetrap
If traditional security methods don’t stack up, how can enterprises build better IoT defense? Below are some suggestions.
In a recent Information Age article, ForeScout CIO Julie Cullivan said that “undetected devices can significantly expand an attack surface, yet are invisible to many traditional, agent-based security solutions.” Here, it’s a case of putting the cart before the horse — enterprises need tools capable of detecting all endpoints on their network before implementing any broad-based policy.
Mobile device management (MDM) and enterprise mobility management (EMM) are no longer enough. Simply managing devices doesn’t provide critical insight into how applications are used or the extent of data manipulation.
IoT security demands cognitive-enabled unified endpoint management (UEM), which both provides granular control over all endpoints, regardless of type or location, and lets professionals secure specific applications on these devices. This might be as simple as ensuring that IoT-enabled thermostats only have access to data necessary for local climate control, but without effective UEM this simple task becomes a major headache.
Security expert Bruce Schneier, CTO of IBM’s Resilient Systems, put it simply, saying: “We’re building a robot the size of the world and most people don’t even know it.” With IoT sensors that can see and hear, connected devices that can physically manipulate objects and a host of network-enabled machines devoted to processing generated data, Schneier’s assertion isn’t so far-fetched.
It lends credence to his argument that it’s time for governments to start regulating IoT. Given the massive size and scope of connected devices, corporate-level regulation can only do so much. But by creating and adopting worldwide standards, there’s hope that enterprises can collectively combat IoT threats.
So what’s the final answer? Is IoT security hopeless? Not quite. While current methods don’t stack up, parallels with cloud security suggest an improving outlook for device defense. As enterprises and governments recognize IoT networks as separate and distinct from other mobile devices, growing specialization will drive the creation of improved visibility tools, spur the innovation of advanced cognitive solutions and encourage governments to take an active role in regulation.