I’ll give you fair warning — what I am about to say is going to blow your mind: Connected devices are insecure. Take a moment if you need it.
While I jest, these realities are not breaking news. But if the devices themselves are insecure, is end-to-end security of the Internet of Things (IoT) even possible? And if it is possible, is it so costly that only the big guys can afford it?
Keeping Pace With IoT Security Threats
The threats from these devices will only increase, given that the number of connected devices is expected to proliferate to 125 billion by 2030. As the device population increases, so does the population of cybercriminals who can seize control of corporate devices with very affordable and widely accessible distributed denial-of-service (DDoS)-as-a-service products.
IoT security has been a top cybersecurity concern for the past three consecutive years. However, IoT developers lag when it comes to building security into devices. In fact, some developers have conceded to the challenges of securing every line of code and have begun securing critical systems exclusively. By failing to protect lines of code that are deemed less critical, these developers leave backdoors open to attackers.
The U.K. government recently called for device manufacturers to build security into their products. While there are currently no regulations related to IoT security, the hope is that this decree will make devices themselves more secure. However, as Mark Weir, director of cybersecurity at Cisco U.K. and Ireland, explained, “To ensure our nation collectively remains safe, we must ensure that smart devices are connected to a network that is equally as secure end-to-end, providing full visibility to any threats as they emerge so that they can be contained and dealt with responsibly.”
Enterprises that rely on the widespread use of connected devices for business productivity need to understand how to achieve strong network security. To that end, a recent Institute of Electrical and Electronics Engineers (IEEE) white paper offered best practices for securing connected devices, networks and IoT systems. When talking about IoT security, many leaders in the industry believe that new and emerging technologies have the potential to make end-to-end security not only possible, but also financially feasible.
Shifting Left of Boom
Mustering the resources to defend organizations in today’s complex digital environment takes grit. The beloved Atticus Finch of Harper Lee’s famous “To Kill a Mockingbird” might even say that it takes courage: “It’s when you know you’re licked before you begin but you begin anyway and you see it through no matter what. You rarely win, but sometimes you do.”
Josh Lefkowitz, CEO and co-founder of Flashpoint, echoed Finch’s sage advice: “The landscape is so incredibly complex, dynamic and multivariable that no solution on earth is ever going to deliver 100 percent proactive coverage,” he said. However, organizations should strive to be as “left-of-incident” as possible, thereby minimizing the window during which attackers can inflict damage.
But how can security teams get left of boom when the task of manually monitoring network devices and system administrators is so resource- and time-intensive? According to Chris Morales, head of security analytics at Vectra, “It is crucial to have visibility inside the network that can adapt to the dynamics of growth and change.” Organizations should also invest in technology that automates real-time analysis of communication, administrators, devices and human behaviors.
Any conversation about security must also look at issues with legacy systems, according to Jon Oltsik, senior principal analyst at ESG. There are numerous tools available for managing mobile and endpoint devices and protecting data, all of which require administrator training and different management consoles that must be tested, deployed and operated. Organizations should consider whether a unified endpoint management (UEM) platform is a viable solution for the challenges in their environments.
“These days, we have public clouds, big data technologies, open source, artificial intelligence, etc. In other words, modern compute, network and storage technologies should be able to overcome the challenges we faced 20 or more years ago,” Oltsik wrote.
No Easy Fix for End-to-End IoT Security
The problem is that IoT security is not an easy fix, as noted by Kamal Anand, vice president of cloud business unit at A10 Networks, in a 2017 report titled “Cybersecurity in an IoT and Mobile World.” The report shared expert opinions on how to change the tide of the cybersecurity arms race. Like Oltsik, Anand said he is optimistic about technology and the potential of AI and machine learning to help gain some ground on the virtual battlefield.
By implementing device security, data protection and cognitive risk management tools while proactively gathering threat intelligence across the IoT landscape, organizations can build toward end-to-end security. Successful IoT security efforts start with knowing the risks to the network and understanding the way IoT devices interact with corporate data. Security teams should also be sure to change default passwords and credentials. These basic best practices can help security leaders make a stronger business case for investing in the tools and resources necessary to proactively defend against IoT threats.
Listen to the podcast series: Five Indisputable Facts about IoT Security