When I do media spots, interviewers often ask me, “What is the best single thing you can do to prevent cyberattacks?” I jokingly respond, “Unplug and turn off all your devices — it’s a 100 percent security solution!” Ironically, when discussing Internet of Things (IoT) security, some people believe turning all devices off is an actual strategy.

Absolute IoT Security Is Not Practical

According to Dan Lohrmann, chief strategist and chief security officer (CSO) at Security Mentor, Inc., we should be aware of three things. First, just as with Wi-Fi, cloud computing and bring-your-own-device (BYOD) programs, the global IoT boat has already left the dock. Don’t be the naysayer who simply opposes all IoT devices in the name of cybersecurity concerns.

Second, you’ve got to know what is connected to your networks. Learn what IoT devices are being used, both openly with management approval and in shadow IT. Is sensitive data being protected? Are security features enabled and sufficient? Have default passwords been changed? Is encryption needed?

Finally, some IoT devices probably do need to be disconnected. But this should be a last resort after you’ve done your homework and worked with customers on offering business answers.

Industry Experts Weigh In

Tyler Carbone, COO, Terbium Labs:

At this point, I think disconnecting IoT devices would be like trying to put the genie back in the bottle. We need to move past thinking of IoT as a completely separate kind of problem. At the end of the day, these are computers, and they’re on the internet for the same reason our desktops are: It adds a lot of value.

I don’t think we should any more disconnect the entire IoT than we should disconnect the rest of the internet. That said, we do need to start thinking of this connectivity with security in mind. Again, think of desktop computers. Some should absolutely be air gapped. Others need to be on a network, but their security is critical enough that access must be severely restricted. Others can be more permissively configured, but those shouldn’t have permission to touch mission-critical systems.

We’re used to thinking about these problems for computers. With the IoT, because the market is still fairly young, there is a fair amount of, frankly, sloppy decision-making and one-size-fits-all network connectivity. That’s what we need to address to improve IoT cybersecurity — disconnecting everything would be too blunt an instrument here.

Shahid Shah, CEO, Netspective Communications:

We need to consider working on a consensus standard that would only allow IoT devices or data into our networks that could be minimally validated to be secure. This is difficult to define, but necessary. Any devices that haven’t passed minimal cybersecurity checks should be taken off the network until they’re shown not to cause harm to other participants in the network.

Scott Schober, President and CEO, Berkeley Varitronics:

I always encourage users to think before plugging in to the internet. They need to weigh convenience against security because, invariably, the more convenient an IoT device is, the less secure it is.

This is especially true of low-cost consumer IoT devices and sensors that cut corners on security in order to sell to the consumer masses. These consumer-driven IoT devices are easy to plug and play, but have no means to update or handle firmware upgrades when vulnerabilities eventually surface. So my advice extends all the way back to the point of purchase: Ask yourself if you even need such a connected device before you buy it. Then, if you’ve gone ahead with the purchase, think again before connecting it to the internet.

A Delicate Balance

When it comes to IoT security, like all other parts of cybersecurity, there is always a balance between usability and safety. The security practitioner’s goal should be to constantly balance this equation against the risk of a breach.

Listen to the podcast series: 5 Indisputable Facts About IoT Security

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today