It is easy to see how a chief information security officer (CISO) might predict that challenges related to threat management for traditional assets will be compounded by the rapid adoption of internet of things (IoT) devices in enterprise buildings. Despite these IoT security challenges, as Simon Langley, CISO of U.K. grocery retailer Morrisons, explained in an interview for SecurityIntelligence, security teams should actively prepare for and enable innovation with the IoT.

Myth: Enterprise IoT Security Is Not Yet a Priority

Innovation is an important part of Morrisons’ culture, and the company is already leveraging the IoT to improve the customer experience, realize efficiencies and grow their business.

“At any given time, there could be 10 managers innovating with IoT,” Langley noted. “My department cannot be seen as impeding this innovation.”

Langley is not alone. Enterprises are innovating with IoT technologies at great scale. By 2021, more than 85 percent — or $1 trillion — of enterprise IoT project investments will be built on net-new technology spending.

Yet IoT security — specifically, device visibility — remains elusive for many organizations, making threat management difficult. Internal research from Armis found that at least 40 percent of connected devices are currently invisible to the CISO. Since only half of organizations are monitoring known IoT devices within their environments, according to a Ponemon Institute study, threat management for enterprise IoT is a clear and present priority.

Fact: Threat Management for the IoT Is Here and Now

Because enterprises are expected to invest $520 billion in IoT technologies over the next few years, security analysts predict that more than 25 percent of identified attacks against enterprises will involve the IoT by 2020.

Even if a company isn’t as quick to adopt emerging technology as Morrisons, there is already a significant number of unmanaged assets and connected devices in the enterprise’s retail, office and warehouse spaces. Printers, badge readers, IP cameras and phones, networking equipment, video and phone conferencing equipment, and smart TVs are among the many connected devices that tend to go undiscovered and, as a result, are not included in current threat management programs.

In addition to enterprise-owned IoT devices, Langley pointed out that connected things brought to work by employees pose a threat.

“The threat, of course, is that connected devices employees bring to work can be used to leapfrog onto the network,” he explained.

Since 47 percent of companies already have employee-owned digital assistants in their workplace, according to Infoblox, the inherent threat is here and now.

The IoT Won’t Be the Straw That Breaks the CISO’s Back

With considerable investment in IoT devices in enterprise buildings, as well as the massive number of unmanaged assets and connected things brought to the workplace, the IoT seems like a straw heavy enough to break the CISO’s back.

However, Eric Maass, director of strategy and emerging technology at IBM Security Services, said proactive CISOs like Langley will approach IoT devices as they would any other endpoint.

“Using the existing NIST Cybersecurity Framework, a threat management program can be extended to unmanaged, IoT devices,” Maass explained.

Maass said the IoT poses unique security challenges that demand a shift from traditional approaches to asset management to a new approach that includes:

  • Passively identifying unmanaged devices;
  • Detecting anomalies to understand bespoke communications patterns; and
  • Crowdsourcing connected devices’ behavioral characteristics to establish credible baselines for machine learning models.

While the IoT has a multiplier effect on asset management challenges, Langley also noted that CISOs who get in front of the issue will enable innovation within their organization. In other words, rather than being the last straw for the CISO, threat management for enterprise IoT can be an opportunity to show how proactive security opens the door to enterprisewide innovation.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…