Everyone’s talking about the Internet of Things that infinite network of physical objects that collect and transmit data autonomously. The opportunity IoT presents for organizations to streamline, simplify and reduce costs is limitless, and everyone naturally wants to take full advantage of it. As IoT-enabled devices increasingly make their way from the consumer market to the enterprise, however, no organization can afford for security to be an afterthought.
"To maintain the safety of critical organizational data, top priority must be given to securely connecting products, platforms, and devices"
To maintain the safety of critical organizational data, top priority must be given to securely connecting products, platforms, and devices, all without negatively impacting the business or productivity. You’ve got to carefully evaluate not only the countless number of IoT devices being brought into your network, but also the huge amounts of data from many different locations generated by those devices and the potential risk to the business. Without the right preparation and management, this explosion of data can not only clog up your network and overwhelm your existing security, but if not securely managed, expose the business to significant risk.
By following the five best practices below, it will help your organization maintain the highest level of security across the business, and still allow executives, employees and customers to take full advantage of the convenience offered by IoT devices.
Research in this area is exploding. IoT-enabled devices aren’t necessarily coming from known manufacturers, so first, you need to understand what the device is. It’s important to evaluate all IoT devices that are accessing and planning to access your system. Understand what they do, what data they collect and communicate, who owns the data they collect, where the data is being collected, and any vulnerability assessments or certifications the devices have.Understand the software that is being put on them, and who’s putting it on. Finally, for the sake of the long term viability of your business, don’t just go out and buy these things and put them in your organization. It’s worth the time and effort to do thorough research.
Inevitably, people are going to bring in their own devices. Once in your organization, these devices will begin sending data back and forth and the potential for trouble is high. For example, if my Apple watch is connected to my Apple phone, which is connected to the corporate network, data can co-mingle on the same network as my corporate production traffic. That’s why it’s critical to understand the impact of IoT on network traffic in the current ‘as-is’ state. Audit your network today, so you can audit it again the next day, and the next, to see what non-approved devices are on the network. See when these devices are accessing the system, what they do when they see data, and what they communicate to and where. Do this monthly to begin with, but when you start to see things pop up, it’s a good idea to audit more frequently, especially if you’re dealing with financial data. As you see additional devices knowingly or unknowingly added or removed, you will be able to reassess your organization’s network performance and identify any changes on an ongoing basis.
Employ a ‘no-trust’ policy when it comes to IoT devices. After you’ve researched the devices coming into your organization, make sure they’re on a separate network segment so they can’t access or interfere with critical corporate data. You don’t know what this data is, so you don’t want it making its way to your corporate server. Also, the possibility of a privacy breach exists if a device, such as a glucose monitor, is sending biometric data between the user and their doctor. If this data gets into the corporate network, the company could be liable for the breach.
IoT is the Wild West and will continue to evolve and change rapidly over the coming months and years. It will be critical to ensure that IT, security and network teams are educated on the ‘latest and greatest’ when it comes to devices, standards, and issues. Educate your users about the dangers of bringing these devices to work and plugging them in without informing your business. Remember, this is a nascent market and there are multiple standards for the same thing. Be prepared for consolidation and emerging standards, but understand that today, little of that exists as some devices have weak or no security. There are a lot of protocols out there, and if somebody brings in a new protocol, your company can be in trouble. Get out ahead of this with an IoT education program.
It’s critical to be vigilant about securing and encrypting data wherever it’s stored. Be aware of the data device vendors collect, because the consolidated data set collected from all of their customers may be a very attractive target for hackers. Then, there’s the question of who owns the data the device creates if your company purchased a smart plug device, it naturally has access to the data. The manufacturer of the outlet might also want (or be collecting without your knowledge) the data, and the people who run the office building might want the data so they can predict electrical usage. You really just don’t know who’s collecting all this data. In addition, IoT devices often are headless and have their own sets of credentials and entitlements in your infrastructure. You need to make sure the credentials associated with those devices are even more secure than those for the human users accessing your network. You’re doing your organization a great disservice if you don’t take a holistic approach to security including endpoints, the network, identity and access management, and everything in between.
If you follow these five steps and stay on top of the ongoing evolution of the Internet of Things, your organization can safely start reaping the benefits of this new generation of devices.