Once seen as just a utility to monitor and control a variety of devices, the Internet of Things (IoT) has become a reality. Devices available for IoT deployment range from household products like thermostats and garage door openers to units that control manufacturing systems and robotic devices. Unfortunately, many of these systems were designed without sufficient consideration given to security implications.
How does the complexity of an IoT deployment impact security and how do enterprises need to protect themselves? According to AT&T’s “CEO’s Guide to Securing the Internet of Things,” 85 percent of enterprises plan to deploy IoT devices, but only 10 percent feel confident that they can secure those devices against cybercriminals. That’s worrisome, considering there are more than 5 billion internet-enabled devices in use today, with more than 20 billion expected by 2020.
“While most hacking of IoT centers on the actual devices themselves, oftentimes the back-end systems that control these devices are just as susceptible to attacks,” Schalit explained.
“So it really begins at the enterprise level, as devices are usually installed inside the secure perimeter of an enterprise network. Unfortunately, that perimeter can be easily penetrated or disabled. On top of that, insider threats, whether malicious or accidental, make up 70 percent of cyberattacks, and they usually originate inside that perimeter. So security is twofold: Secure the network and the things themselves.”
Vulnerabilities Are Everywhere
“Research has repeatedly shown that many IoT device manufacturers and service providers are failing to implement common security measures in their products,” said Schalit. “Consider the fact that many of the IoT devices will have long lives (microwaves, fridges, etc.) and very limited user interface [UI]. Most of them will contain known vulnerabilities for years. IoT devices are everywhere, which means vulnerabilities are everywhere.”
At-risk environments include homes, personal communication devices, automobiles, manufacturing environments, offices and more.
Inexperience and Fragmentation
“The first problem is that many organizations often lack tools and policies to monitor and secure the device,” Schalit explained. According to a recent ForeScout Technologies survey, 30 percent of organizations surveyed lack a specific security solution for their IoT deployment. Additionally, more than a quarter said they did not know if their companies had IoT security policies.
“There is often much fragmentation within enterprise IT,” Schalit continued. “Operations is separate from the information security group, which creates many issues for identifying and managing these technologies. Additionally, passwords ignore the border between home and work. The same person is using the same digital accounts on both sides, as we all do personal things at work and work at home. The same holds for the exposure. An employee who uses the same poor passwords for his personal accounts and his work accounts puts his entire organization at risk.”
Password managers and managed identity services are some of the ways companies can help manage the issue.
Lack of Visibility
As Schalit wrote on Dashlane’s blog: “People are digitizing details of their life at a rapid pace, but they are not replicating basic real-life security behavior. Just think how many people still use the same password for several websites. … Many people tend to underestimate the risks they encounter while using the internet and think they can simply reset their email or cancel bank transactions if they are hacked.”
The nature of cyberrisk has changed. A few years ago, a digital risk was fully contained in a personal computer. Companies protected themselves with antivirus and firewall software. Today, the risk is in the cloud and the devices that connect to it — that is to say, everything.