Mitigating Risk in the Internet of Everything Is Everyone's Job
IoT security might seem like an impossible task. Here are three action items to get you started.
February 1, 2018
Srini Vemula
By Srini Vemula, Global Product Management Leader at SenecaGlobal
The Internet of Things has a security problem that, left unchecked, could become a full-blown crisis. For businesses increasingly reliant on IoT and the partners who serve them, the answer isn’t to fall back on traditional cybersecurity methods. Just as the IoT poses new threats, it demands new solutions.
The use of connected devices has grown enormously in the past few years, and deployments are only on the rise. According to a 2017 Gartner report, there are 8.4 billion connected devices in circulation around the globe — a number that’s expected to rocket to more than 20 billion by 2020.
For a long time, discussions about IoT-based damage to businesses remained largely hypothetical. But over the past year, those theoretical threats have materialized into something very real. The problem came into stark focus with the emergence of Mirai, a botnet designed to attack vulnerable IoT devices. From DVR boards to smart cameras, Mirai ended up infiltrating roughly 100,000 connected devices. The creators of the botnet then used the commandeered devices to overtax a major DNS service provider, leading to major website interruptions and outages across the country.
Mirai laid the groundwork for a host of new IoT-based threats. As research conducted by Kaspersky Labs revealed, IoT-specific malware programs have doubled between 2016 and 2017 — and that number is expected to do nothing but rise. Attackers are becoming more sophisticated and insidious, with new malware strains like Reaper and IoTroop posing unprecedented threats to IoT devices.
At the same time, your customers are ramping up their deployments of IoT. According to the Gartner report, while consumers use more connected devices, it’s businesses that are doing the majority (57 percent) of IoT-based spending as they apply IoT technology to increasingly enterprise-critical functions. As a partner, you can’t just install and connect sensors and walk away. You need to help customers secure new devices, provide education and make sure older nodes aren’t owned. As cybersecurity expert Brian Krebs points out, there may be 1 million organizations that already have been compromised as a result of IoT attack malware.
For partners, the challenge with IoT security is that the requirements are different from typical IT systems. One key issue is the inherent degree of connectedness among IoT nodes, whether they’re communicating with gateways or with other devices in the area. This interconnectedness is core to the value proposition of IoT. It also means that malware has the potential to spread quickly from device to device.
The other hurdle with defending IoT devices is that standardized security solutions, like multifactor authentication, often can’t be applied. If, for instance, your customer has 100 intelligent sensors remotely dispersed, it won’t be feasible to have multifactor authentication attached to every sensor. This is especially problematic given that the majority of IoT-based attacks so far have begun with bad actors targeting insecure passwords.
In addition to these unique challenges, IoT device providers haven’t prioritized security to a needed degree — or sometimes any degree. Instead, they’ve focused on …
… functionality and tech innovation. This imbalance of focus makes IoT devices themselves more vulnerable — and attackers know that.
3 Action Items
For many enterprises, adopting IoT technology is a strategic business imperative that will only become more urgent in the next few years. But as we move toward 2020 – and more than 20 billion IoT devices in circulation by that time – organizations need to be proactive about prioritizing security. Some important action items for partners:
Start with a secure architecture: Many customers want to dive right into IoT deployments, but without a secure internal architecture, they’re setting themselves up for attack. Instead, help custom-design their systems to ensure they’re built to block unwanted connections that in-network IoT devices can otherwise introduce. Even if a secure architecture is expensive, it’s an investment that pays dividends in the long run.
Implement better data-management strategies: Even if you can’t control the security design of the IoT devices you’re bringing into a customer network, you can control the data these devices create and interact with. And yet too few companies are currently prioritizing data management to a needed degree. In an IoT-driven future, better data management is a business imperative.
Properly train users in IoT best practices: Within IoT-enabled organizations, there’s often a gaping proficiency gap between IT or partner personnel and other employees who may also be interacting with these devices. In order to lay the best foundation for IoT security, you need to include cross-departmental training in IoT best practices as part of any services sale.
IoT is a massive services opportunity. For IoT tech suppliers, the priority needs to be on better password protocols and more advanced patch management. But let’s face it — the IoT landscape will continue to evolve faster than the ability of consultancies like mine or yours to secure it. Maybe the most important step is to make sure business customers using IoT devices become and remain more aware of – and proactive about – security. Because it’s only a matter of time before the next major attack.
Srini Vemula is global product management leader at software development and technical advisory firm SenecaGlobal.
Read more about:
AgentsYou May Also Like