Today there are 9 billion devices connected to the Internet. As we move forward to a day where most devices will be Internet connected this growth trend will not subside. The day of IoT (Internet of Things) is upon us. IoT are takes what were once considered non-computerized devices and gives them a processor, software and network connectivity. Effectively these devices become “smart” because they contain a small computer and are connected to a network or the network of network – the Internet.
These devices can be smart televisions, smart thermostats, home/building automation systems, medical devices, etc. Noting these changes in the industry we are in for an explosive growth of the IoT and it will significantly impact business small and large. The Internet of Things brings with it some of the headaches of BYOD (Bring Your Own Device) with entirely new ones we will have to address. Some of the many challenges are:
With so many connected devices we will see infinite options for exploitation by cybercriminals. Unlike mature operating systems of desktops, servers and even mobile devices these devices will offer little protection from the endless risk the inject into the enterprise. They can both be used by malicious and unknowing employees to leak sensitive information and even intellectual property out of the enterprise.
As Symantec researcher Kevin Haley detailed in his “2014 Predictions from Symantec”,
“With millions of devices connected to the Internet—and in many cases running an embedded operating system—in 2014, they will become a magnet for hackers. Security researchers have already demonstrated attacks against smart televisions, medical equipment and security cameras. Already we’ve seen baby monitors attacked and traffic was shut down on a major tunnel in Israel, reportedly due to hackers accessing computer systems via a security camera system.”
Privacy these days seem to be of growing importance to users as the risks and costs come into clear view. Modern IoT devices will collect, transmit and store all kinds of data in places that will have real world privacy consequences. These will not be in the realm theory but come in direct costs, vulnerabilities, and repercussions. As the reality of these issues starts to sink in, the uproar will eventually become predictably palpable.
With the myriad of devices and their lack of standardization we are in a place where there is more risk than one would like. Hopefully, a unified standard will emerge — but right now there is none. This lack of maturity mirrors that of the early days of modern desktop operating systems.
Open industry standards support are absolutely critical for any technology. Unfortunately, IoT isn’t as mature or standards based as its traditional desktop/server or even mobile space. Noticeably the standards are a work in progress and time will certainly improve them.
IoT isn’t going away but our embrace of this new technology should be measured. We ought take some simple steps to minimize our risks:
- Minimize the presence of IoT devices in your enterprise until you can quantify the risk and address them.
- If any of these devices are to be deployed then take steps to minimize risks with policy, training and technology.
- Always take a “defence-in-depth” or layered approach in securing these devices
- Include these devices in your security audits, pentests and patch management plans.
- Add IoT to your policies so that users understand the risks and their responsibility to protect the enterprise. Require them to read and sign them on a yearly basis.
While it is clear that IoT has immense promise we need to assess and address the risks it brings to bear. Like all other technology, it an immense potential. Notwithstanding, we have to be diligent in how we invest in and deploy IoT to extract the greatest return.
What’s your experience with IoT? What are doing to minimize your risks and maximize your benefits?