April 17, 2017 By Scott Koegler 3 min read

Internet of Things (IoT) devices are proliferating into unanticipated areas of businesses and personal lives. The explosion of IoT devices follows the familiar pattern of the bring-your-own-device (BYOD) movement, which has infiltrated the same spaces. What differentiates the two categories is the number of items and the cost of individual devices. But while the differences are substantial, IT can learn from its experience securing the BYOD population.

Threats Hidden in Plain Sight

The introduction of BYOD into the enterprise may have been unauthorized, but the products were typically not hidden. The smartphones, smart watches and other intelligent devices were generally used in plain sight, but the risks they posed included allowing unauthorized and unsecured access to enterprise systems through personal devices that were being used for work purposes. The fact that enterprise-level products could be put into service without IT oversight or proper security precautions took analysts by surprise. It also generated a rush to create software and services that could be installed on user-owned units and in enterprise infrastructure to reduce the threats they posed.

Similarly, these new smart products carry a variety of robust technical capabilities, such as communication and data transfer. They are also arriving without IT authorization or vetting. This time, however, they are not in plain sight: In many cases, the IoT components are embedded as part of some larger product. Most importantly, like BYOD, IoT devices notoriously lack security.

The Internet of Everything

IoT devices are often small and inexpensive components that add smart capabilities to the products that host them. Consumer products such as thermostats, smart TVs and refrigerators benefit from communications, sensor reading, and video and sound recording. In the enterprise, IoT devices such as copy machines, HVAC systems, VoIP phone systems and intelligent subsystems can be breached in under three minutes, according to a ForeScout report.

Unlike BYOD devices, which are comparatively fewer in number and generally costlier, IoT devices number in the billions and often cost just a few dollars. Manufacturers have little incentive to enable security measures in each device. Even if they did, standards for IoT security implementation have yet to be ratified.

Securing IoT Devices

You should assume that smart products currently exist in your enterprise. Here are the most important steps to take to manage and secure these devices.

  • Identify which devices have communication capabilities. If a device connects to your network and sends alerts, communicates with its manufacturer for warranty updates or provides any other indication that it is using its network connection to reach outside the enterprise, add it to your list of enabled systems.
  • Connect devices to your network only if there is a demonstrable benefit. If a device can function properly without a network connection or if its connection only provides marginal utility, disconnect it and test its functionality. Before reconnecting, ask the manufacturer how the product is intended to communicate and what measures have been taken to secure it.
  • Create a separate network specifically for smart device connections.
  • Disable Universal Plug and Play (UPnP). Do not allow automatic discovery and connection for networked devices. Make certain that any devices that request network access are reviewed for security and connected to the proper network segment.
  • Update firmware where possible. Contact manufacturers for updates to their firmware and ask about procedures they have taken to add security measures to the systems you use.

The population of IoT-enabled systems in the enterprise will continue to grow. IT must act now to establish procedures to evaluate the connections and systems currently in use and add appropriate evaluation criteria to standard purchasing procedures for new additions.

Listen to the podcast: The Evolution of Consumer IoT

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today