Why IoT Security Needs to Be in Your Threat Management Strategy

When it comes to protecting an organization from cyber threats, there are now a wide range of potential vulnerabilities to consider. Issues such as mobile security, shadow IT, and cloud computing all demand close attention, but there’s another area that’ll be increasingly essential for businesses across all sectors - the Internet of Things (IoT).

The use of these tools is expected to boom over the coming years in both our personal and professional lives. In the workplace, IoT tools may be used for everything from monitoring and adjusting a building's environmental controls to tracking the location of employees in the field, and often combine with other tools such as AI to optimize systems and make operations more efficient.

In fact, B2B spending on IoT solutions is expected to reach $267 billion by the end of 2020, including hardware, software, and services solutions. Meanwhile, Business Insider Intelligence forecasts there’ll be 64 billion IoT devices installed around the world by 2026, helping firms improve productivity, cut costs, and develop new products and services.

The risks posed by unmanaged IoT

Because IoT devices are still a relatively new part of many firms' network and often don’t have the same high-security protections as other devices, criminals are keen to exploit any weaknesses.

Indeed, according to Symantec, IoT devices experience an average of 5,200 attacks per month, while Gemalto claims almost half of businesses (48%) would be unable to detect if a breach had occurred within their IoT networks.

The consequences of this can be severe. While some IoT attacks - such as those that turn your devices into botnets - may only result in a spike in internet usage or a slowdown in speeds as their processing resources are diverted elsewhere, others could result in the loss of highly sensitive personal data or even allow hackers to shut down critical systems.

Therefore, it's vital that IoT security plays a central role in your threat management strategy. No matter what type of IoT device you have connected to your network, having a clear plan in place for the deployment and management of these tools can prevent costly data breaches or other cybercrime activity.

Five steps to take control of your IoT environment

However, putting the right defenses in place may be a challenge. The IoT isn’t like traditional IT, as it offers a wide variety of potential endpoints to a system that standard security practices may not cover. Therefore, here are a few key steps to ensure IoT devices are being deployed securely:

1. Gain visibility

The first task will be to ensure you’re aware of what IoT devices are on your network and what their vulnerabilities may be, and this can be a harder task than it appears, especially if you aren't clear on what constitutes an IoT device.

The first step should be to conduct an audit to detect any unknown device types, including details such as:

• Type
• Model
• Manufacturer
• Installed operating system and applications

Next, you need to know what connections each device has and what normal behavior looks like in order to detect any usual activity. This can be challenging, as IoT devices may differ hugely in their complexity, but it's an essential part of an effective monitoring system

2. Set high standards

It's important to factor in security right from the start, which means setting requirements for procurement to ensure only approved devices with proven security standards are added to your network. Part of this includes determining what patches the manufacturer will provide and how long you can expect support to continue.

These rigorous security standards also need to extend into your supply chain, as this is an area where it's especially common for IoT devices to interact with multiple businesses. Make sure all your partners and suppliers are aware of your standard and what proof they'll have to provide before benign accepted into your network.

3. Deploy access controls

Setting up clear access controls is one of the most important things you can do to guard against hackers getting into your IoT systems. This has to start with using strong passwords - which may sound obvious, but many IoT devices ship with weak default passwords that many users neglect to change. Adding secondary authentication methods to protect against spoofing attacks is also vital.

4. Have a clear plan for patching

IoT devices can prove harder to patch than other parts of your IT network, so putting in place a specific schedule for them that allows you to focus on this area is a must. If you have devices from a wide range of manufacturers, chances are there’ll be a very disorganized schedule, with some devices expected to receive updates far more often than others.

It's especially important to identify which devices aren't set to receive patches and determine whether it’s worth the risk of keeping them on your network or upgrading to more up-to-date options.

5. Focus on your network

It's also important to understand how your IoT devices interact with the rest of your network, and put in place policies that can prevent hackers using them as an entry point to the wider business.

For example, IoT devices shouldn’t be allowed to initiate connections. This won't stop hackers gaining access by itself, but it’ll limit their ability to move around within the network.

For wireless devices, you may even consider separating your IoT devices into their own network that's segregated from your production environment wherever possible. This is useful for devices that require internet access, but should have no need to communicate directly with other devices within your systems.