drone with a camera in flight
The IoT's reach is expanding at a more rapid pace than security measures. Here are some tips to keep up PHOTO: AzureEyes on unsplash

Depending on who you listen to, the Internet of Things (IoT) will reach either 26 billion or over 200 billion devices by 2020. Estimates of market size cover a similar spectrum, with experts predicting IoT will become a $1.9 trillion (Gartner), $7.1 trillion (IDC) or $19 trillion (Cisco) market by the same date. 

Worldwide mobile data is predicted to reach 49 exabytes per month by 2021, and Cisco suggests Internet of Everything (IoE) data will reach 507.5 zettabytes by 2019.

While the numbers vary, what is clear is the growing reach of IoT. And with growth, unfortunately comes increased security risks. Businesses and government agencies need to take deliberate steps to secure IoT assets. With careful planning, however, companies at the forefront of IoT can keep their business and customers safe.

What Makes IoT Security Challenging

We are moving forward with the IoT faster than our ability to secure it according to the recently published Booz Allen Hamilton's Field Guide to IoT Security. The authors also point out the extensive damage cyber attackers can do if they gain control of your systems, far worse than email or credit card theft.

“Pick something in IoT, and then imagine what would happen if foreign countries, cybercriminals — or just hackers looking for attention — had their way with it,” the report reads. It suggests those working with the IoT remain aware of four basic characteristics:

  1. The IoT is unlike traditional IT: It offers exponentially more ways into a system, creating higher risk.
  2. Forewarned is forearmed: The report identifies five types of IoT attackers, each with distinct motives, methods and targets.
  3. Trust is paramount: Violating IoT's unspoken social contract could cause an organization's IoT efforts to fall apart.
  4. Frameworks must be flexible: Four essential building blocks comprise an IoT security framework, but require regular reevaluation of risk assessments to keep pace with threats.

Carl Rodrigues
Carl Rodrigues
Carl Rodrigues, president and CEO of enterprise mobile management vendor SOTI warned of one other factor: despite advances in devices, security is still based on 30-year-old technology.

Rodrigues said businesses need to broaden their focus beyond endpoint security to endpoint management, to secure all connections between a user and the enterprise, no matter how small or large. The benefits the IoT can relay depend on delivering on this level of security, not relying on legacy tools. 

Old Problem, New Devices

IoT devices tend to have weaker security protections than regular computers, including hard-coded and widely known passwords, said Mike Baker, managing director of Phoenix-based cybersecurity consultancy Mosaic451. Many devices are also difficult to patch or update.

Michael Baker
Michael Baker
Adding to the confusion is the different channels IoT devices are sold through, resulting in no common controls regarding passwords, encryption or other security measures, and no “chain of custody” controls tracking who has handled a device or when. These vulnerabilities make IoT devices attractive targets for cyber criminals.

If you examine the largest data breaches, phishing scams and companies held hostage by ransomware over the past year, technology failed to offer protection in the majority of these cases.

“In each case, data was breached due to hackers or phishers successfully exploiting humans (i.e. employees). The proliferation of IoT devices has made the human element even more vulnerable because this area of security is often overlooked and is in fact the weakest link,” Baker said.

Baker suggests a number of tactics to increase security in these cases: 

  • Mobile Device Management (MDM): Forces people to install a profile to meet minimum security status
  • Limit Access to Consumer Data: Limits employee access to only those systems and data they need to perform their jobs
  • Strong cryptography: Renders all passwords unreadable during storage and transmission
  • Data Loss Prevention (DLP): Monitor the flow of outbound data and stop it based on policy
  • Web filtering technology (WFT): Block the use of social media sites, or at minimum, provide view-only access to social media sites.

Protecting the Enterprise From IoT Threats

Stephen Gates
Stephen Gates
According to chief research intelligence analyst at Zenedge, Stephen Gates, the problem with IoT devices is more than just a problem of protecting enterprise devices. Businesses need to consider two additional factors.

He suggested organizations never deploy the IoT devices they own with public IP addresses or outside of firewalls. Firewalls must protect all devices — including IoT — to block all incoming traffic from the internet to prevent these devices cannot be remotely exploited, since incoming traffic can’t get through a properly configured firewall.

The other factor involves IoT devices the enterprise doesn't own. These devices, predicted to number in the billions in the next few years, can be conscripted into botnets and are fully capable of doing every hacking activity traditionally accomplished on computers.

These devices need to be treated the same as any other unknown device. Concerning IoT-based attacks from the internet targeting web applications and underlying databases, Gates recommends implementing a bot management solution, in combination with a web application firewall (WAF), DDoS defenses and API-based security measures.

Trusted Internal Networks Are a Thing of the Past

Bryce Austin
Bryce Austin
The problems IoT-connected devices pose should be viewed in light of data and device security across the enterprise in general. Bryce Austin has written extensively on the subject of cybersecurity and is CEO of Technology and Cybersecurity Education (TCE). He said IoT devices do not represent a new threat in large enterprises, rather they are simply a new variety of untrusted computers that have made their way inside the corporate castle, a problem businesses have dealt with for decades.

“The real threat is that many cybersecurity programs are built on the notion that all devices on the internal network are friends, not foes. The IoT is bringing huge numbers of diverse products into the enterprise, and most of these products lack basic cybersecurity best practices,” he told CMSWire. 

Austin suggested a three-pronged strategy to manage the problem:

  1. Shift your cybersecurity assumptions to not trust devices on the trusted internal network. The notion of a trusted internal network is a thing of the past. Cybersecurity systems must look from the inside-out to the outside-in for abnormal behavior.
  2. Actively pursue IoT devices that can prove they follow cybersecurity best practices. If you can't beat 'em, join 'em. The IoT is coming and it won’t go away. It is better to find IoT devices that have fundamental cybersecurity controls than it is to say we don't allow IoT devices and watch users ignore that rule. 
  3. Implement a strong cybersecurity awareness training program. Your users are not yet aware of the potential risks IoT devices may pose.

“They know that a fire in a building can cause serious damage to a company, and even bring life safety issues. They don't know that the IoT connected fish tank they just brought in from home can cause a data breach the size of Texas,” he said.