IoT, the internet of things, is everywhere, including inside your enterprise environment. And that’s a very good thing. IoT has been a blessing for enterprises: It can make employees more productive and enable crucial business processes to run more smoothly, intuitively, and efficiently. Yet the same technology also makes your enterprise more vulnerable in many ways.
The Vast Range of Enterprise IoT
At this point in the game, it’s impossible to imagine giving up IoT, as it’s become a must in every enterprise environment. Most IoT technology in an enterprise setting falls into one or more of three categories:
- Smart-building technology: Elevators, thermostats, HVAC systems, smart-lighting hubs
- Smart office technology: Badge readers, cameras, routers
- Smart business technology: Conferencing equipment, smart TVs, smart boards, virtual assistants like Alexa
While these devices are certainly useful, they also create weaknesses in your carefully planned network security.
Why IoT Is Innately Vulnerable
IoT devices come with a few intrinsic flaws that make them unacceptable as a security risk:
- Lack of standardization creates a hodgepodge of devices
- Weak security approach, including flimsy or nonexistent passwords
- Outdated and unpatchable architecture, firmware, software
- Larger number of devices expands the attack surface and opens up the possibility of a botnet campaign
As a result, it’s all too easy for hackers to gain access to these devices and either wreak havoc with the IoT devices themselves or move laterally to harm mission-critical systems and steal the personally identifiable information (PII) of customers or employees, intellectual property, or other assets. Hackers may also gain control over the network and hold it for ransom.
In general, vendors build and sell IoT solutions based on functionality and ease of use, often rushing products to market to beat the competition—without looking at the security big picture.
How to Properly Secure IoT Devices
IoT can be a weak link in your security. Here are three best practices to follow to defend your organization against attacks initiated through or by taking advantage of compromised IoT devices:
1. Smarten Up Your Passwords
Most organizations use the weak default passwords that come with their IoT devices. That’s not laziness; it’s often hard to change the passwords both because of the sheer number of IoT devices you have to manage and because the interface is usually unclear or hard to use. Ideally, each device should have its own secure password so that even if an intruder gains access to a single device, their potential to do damage is reduced.
Buying Tip: When investing in new IoT devices, make sure it will be easy to change passwords from time to time.
2. Apply All Possible Patches
IoT hardware comes and goes quickly. That leaves an uneven patching landscape in which manufacturers may go out of business or devices may reach end-of-life quickly. A software or firmware patch may be available for certain devices, especially now that a few high-profile IoT-based attacks have made the news and some manufacturers are smartening up and releasing patches.
Buying Tip: When choosing new IoT devices, ensure that the manufacturer has built in a reasonably easy-to-implement patch capability.
3. Move Toward Zero Trust
Many organizations today are moving toward a “zero-trust” model centered on the principle, “Never trust. Always verify.” In this model, each user is verified before being given access based on the principle of “least privilege,” i.e., only for legitimate business purposes. This can prevent lateral attacks even if an intruder breaches your network. Network segmentation is another way to block untrusted users from moving laterally through your organization.
Buying Tip: For all new IoT devices, make sure you choose products that can support a zero-trust network architecture. Source
How Can ITM Help You?
iTM covers all aspects of Cyber Security including but not limited to Home cyber security managed solutions to automated, manage threat intelligence, forensic investigations, Cloud security best practice & architecture and cyber security training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information.