It is easy to see how a chief information security officer (CISO) might predict that challenges related to threat management for traditional assets will be compounded by the rapid adoption of internet of things (IoT) devices in enterprise buildings. Despite these IoT security challenges, as Simon Langley, CISO of U.K. grocery retailer Morrisons, explained in an interview for SecurityIntelligence, security teams should actively prepare for and enable innovation with the IoT.
Myth: Enterprise IoT Security Is Not Yet a Priority
Innovation is an important part of Morrisons’ culture, and the company is already leveraging the IoT to improve the customer experience, realize efficiencies and grow their business.
“At any given time, there could be 10 managers innovating with IoT,” Langley noted. “My department cannot be seen as impeding this innovation.”
Langley is not alone. Enterprises are innovating with IoT technologies at great scale. By 2021, more than 85 percent — or $1 trillion — of enterprise IoT project investments will be built on net-new technology spending.
Yet IoT security — specifically, device visibility — remains elusive for many organizations, making threat management difficult. Internal research from Armis found that at least 40 percent of connected devices are currently invisible to the CISO. Since only half of organizations are monitoring known IoT devices within their environments, according to a Ponemon Institute study, threat management for enterprise IoT is a clear and present priority.
Fact: Threat Management for the IoT Is Here and Now
Because enterprises are expected to invest $520 billion in IoT technologies over the next few years, security analysts predict that more than 25 percent of identified attacks against enterprises will involve the IoT by 2020.
Even if a company isn’t as quick to adopt emerging technology as Morrisons, there is already a significant number of unmanaged assets and connected devices in the enterprise’s retail, office and warehouse spaces. Printers, badge readers, IP cameras and phones, networking equipment, video and phone conferencing equipment, and smart TVs are among the many connected devices that tend to go undiscovered and, as a result, are not included in current threat management programs.
In addition to enterprise-owned IoT devices, Langley pointed out that connected things brought to work by employees pose a threat.
“The threat, of course, is that connected devices employees bring to work can be used to leapfrog onto the network,” he explained.
Since 47 percent of companies already have employee-owned digital assistants in their workplace, according to Infoblox, the inherent threat is here and now.
The IoT Won’t Be the Straw That Breaks the CISO’s Back
With considerable investment in IoT devices in enterprise buildings, as well as the massive number of unmanaged assets and connected things brought to the workplace, the IoT seems like a straw heavy enough to break the CISO’s back.
However, Eric Maass, director of strategy and emerging technology at IBM Security Services, said proactive CISOs like Langley will approach IoT devices as they would any other endpoint.
“Using the existing NIST Cybersecurity Framework, a threat management program can be extended to unmanaged, IoT devices,” Maass explained.
Maass said the IoT poses unique security challenges that demand a shift from traditional approaches to asset management to a new approach that includes:
- Passively identifying unmanaged devices;
- Detecting anomalies to understand bespoke communications patterns; and
- Crowdsourcing connected devices’ behavioral characteristics to establish credible baselines for machine learning models.
While the IoT has a multiplier effect on asset management challenges, Langley also noted that CISOs who get in front of the issue will enable innovation within their organization. In other words, rather than being the last straw for the CISO, threat management for enterprise IoT can be an opportunity to show how proactive security opens the door to enterprisewide innovation.