When I do media spots, interviewers often ask me, “What is the best single thing you can do to prevent cyberattacks?” I jokingly respond, “Unplug and turn off all your devices — it’s a 100 percent security solution!” Ironically, when discussing Internet of Things (IoT) security, some people believe turning all devices off is an actual strategy.

Absolute IoT Security Is Not Practical

According to Dan Lohrmann, chief strategist and chief security officer (CSO) at Security Mentor, Inc., we should be aware of three things. First, just as with Wi-Fi, cloud computing and bring-your-own-device (BYOD) programs, the global IoT boat has already left the dock. Don’t be the naysayer who simply opposes all IoT devices in the name of cybersecurity concerns.

Second, you’ve got to know what is connected to your networks. Learn what IoT devices are being used, both openly with management approval and in shadow IT. Is sensitive data being protected? Are security features enabled and sufficient? Have default passwords been changed? Is encryption needed?

Finally, some IoT devices probably do need to be disconnected. But this should be a last resort after you’ve done your homework and worked with customers on offering business answers.

Industry Experts Weigh In

Tyler Carbone, COO, Terbium Labs:

At this point, I think disconnecting IoT devices would be like trying to put the genie back in the bottle. We need to move past thinking of IoT as a completely separate kind of problem. At the end of the day, these are computers, and they’re on the internet for the same reason our desktops are: It adds a lot of value.

I don’t think we should any more disconnect the entire IoT than we should disconnect the rest of the internet. That said, we do need to start thinking of this connectivity with security in mind. Again, think of desktop computers. Some should absolutely be air gapped. Others need to be on a network, but their security is critical enough that access must be severely restricted. Others can be more permissively configured, but those shouldn’t have permission to touch mission-critical systems.

We’re used to thinking about these problems for computers. With the IoT, because the market is still fairly young, there is a fair amount of, frankly, sloppy decision-making and one-size-fits-all network connectivity. That’s what we need to address to improve IoT cybersecurity — disconnecting everything would be too blunt an instrument here.

Shahid Shah, CEO, Netspective Communications:

We need to consider working on a consensus standard that would only allow IoT devices or data into our networks that could be minimally validated to be secure. This is difficult to define, but necessary. Any devices that haven’t passed minimal cybersecurity checks should be taken off the network until they’re shown not to cause harm to other participants in the network.

Scott Schober, President and CEO, Berkeley Varitronics:

I always encourage users to think before plugging in to the internet. They need to weigh convenience against security because, invariably, the more convenient an IoT device is, the less secure it is.

This is especially true of low-cost consumer IoT devices and sensors that cut corners on security in order to sell to the consumer masses. These consumer-driven IoT devices are easy to plug and play, but have no means to update or handle firmware upgrades when vulnerabilities eventually surface. So my advice extends all the way back to the point of purchase: Ask yourself if you even need such a connected device before you buy it. Then, if you’ve gone ahead with the purchase, think again before connecting it to the internet.

A Delicate Balance

When it comes to IoT security, like all other parts of cybersecurity, there is always a balance between usability and safety. The security practitioner’s goal should be to constantly balance this equation against the risk of a breach.

Listen to the podcast series: 5 Indisputable Facts About IoT Security

More from Endpoint

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Threat Management and Unified Endpoint Management

The worst of the pandemic may be behind us, but we continue to be impacted by it. School-aged kids are trying to catch up academically and socially after two years of disruption. Air travel is a mess. And all businesses have seen a spike in cyberattacks. Cyber threats increased by 81% while COVID-19 was at its peak, with 79% of all organizations experiencing a loss of business operations during that time. The risk of cyberattacks increased so much that the…

3 Ways EDR Can Stop Ransomware Attacks

Ransomware attacks are on the rise. While these activities are low-risk and high-reward for criminal groups, their consequences can devastate their target organizations. According to the 2022 Cost of a Data Breach report, the average cost of a ransomware attack is $4.54 million, without including the cost of the ransom itself. Ransomware breaches also took 49 days longer than the data breach average to identify and contain. Worse, criminals will often target the victim again, even after the ransom is…

How EDR Security Supports Defenders in a Data Breach

The cost of a data breach has reached an all-time high. It averaged $4.35 million in 2022, according to the newly published IBM Cost of a Data Breach Report. What’s more, 83% of organizations have faced more than one data breach, with just 17% saying this was their first data breach. What can organizations do about this? One solution is endpoint detection and response (EDR) software. Take a look at how an effective EDR solution can help your security teams. …