The consumer and business markets for Internet of Things (IoT) technology have exploded over the last 10 years. These powerful, networked, data-gathering products are overflowing with the potential to transform how we live and work.
IoT devices are popping up in homes, schools, small businesses, and practically every enterprise business sector, but it’s no secret that security has taken a back seat in developers’ headlong rush to get new IoT products to market faster. Few technical standards exist for IoT technology and manufacturers prioritize ease of setup over anything else to make their products as attractive as possible in a crowded market. This mix of factors creates IoT security problems that business users might overlook.
Unmanaged IoT Devices Are a Growing Problem
New research makes it clear that the rapid introduction of IoT devices into businesses has created physical and network security vulnerabilities most organizations aren’t prepared to manage. A recent joint study by IBM and the Ponemon Institute found that the average time it takes businesses to identify a data breach has increased to 280 days. That time frame is concerning because breach remediation costs were shown to rise by $1 million on average after the 200-day mark.
In many organizations, the risk of a data breach has been made worse by the explosion of unmanaged IoT devices now in use. In their “State of Enterprise IoT Security in North America” report, Forrester Research found that 69 percent of respondents estimated that at least half of all their IoT devices were unmanaged.
Common Types of Unmanaged IoT Devices
On the surface, that estimate sounds high. How could organizations not know about half of a given technology base in their organization? But when you think through just how much business equipment is now networked as part of the Internet of Things, you see the full scope.
Good device management is necessary for preventing IoT security problems. Consider which IoT devices might be unmanaged in your own organization. Those devices tend to be a mix of consumer products brought in by workers and corporate equipment deployed ad hoc by individual departments.
These devices include:
All kinds of new IoT computing peripherals and mobile devices have embedded operating systems that can be compromised. They include printers, VOIP phone sets, smart monitors and TVs, smartphones and watches, and digital assistant devices, such as Amazon Echoes and Google Home speakers. These devices are also valuable and easily resold, which makes them physical security liabilities and targets of theft.
IoT equipment is increasingly used in physical plants to automate systems that need regular monitoring and performance adjustments. Many HVAC systems, such as air conditioning controllers and air quality monitoring devices, are now networked IoT units. Lighting systems and security cameras are also popular technologies to convert to IoT.
Retail and Warehouse Inventory Management Equipment
The latest generation of bar code scanners, POS systems, and inventory scanners all now have wireless adapters to connect to central financial and ERP systems.
All of these devices pose physical and network security challenges. In the Forrester report mentioned above, that same pool of surveyed IT and security professionals also felt that their existing management systems were not adequate for handling all of the IoT devices their organizations had in use.
8 Overlooked IoT Security Problems
IoT technology creates many subtle security challenges that businesses have not faced before. Here are eight problems many companies might overlook when deploying IoT devices.
1. Underestimating the Amount of Physical Management Needed
Mobile IoT devices, such as handheld scanners and tablets, create additional management challenges. These devices are at the center of many new integrated workflows, so when those devices aren’t available, overall performance suffers.
Reliable tracking and management tools for mobile devices help maintain efficiency. Look for management systems that offer a combination of real-time asset monitoring, transaction logging, and asset reservation scheduling.
A manual tracking process, such as having staff record transactions in a spreadsheet, might work but at best is inefficient and error-prone. Automated systems frequently deliver better ROI on asset management.
2. They’re Prone to Loss and Theft
Mobile devices are portable and very valuable. Criminals may look to steal consumer-friendly devices, such as tablets, due to their high street value. Also, since they’re connected IoT devices, savvy criminals may want to steal them because they provide a gateway to launch attacks on your network.
You need a way to securely store mobile IoT devices when they’re not in use. Smart locker systems offer modular, customizable, and secure storage options no matter how large or small a footprint you have to work with.
3. They’re Insecure Out of the Box
As we mentioned, IoT manufacturers frequently prioritize ease of setup in their designs to make their products as attractive as possible in a crowded market. That often results in security features being deprioritized or left out entirely.
Even something as simple as leaving default passwords unchanged has been the source of serious IoT compromises. You can expect your IoT devices out of the box to have:
- Known default passwords
- Unpatched and out-of-date operating systems
- Insecure network connections
4. IoT Can Produce Too Much Data
One of the key benefits of IoT technology is the amount of new data it can generate about business systems. But the sheer volume of data produced can pose a problem if you’re not prepared. Hackers can hide malicious traffic in high volumes of that new, unfamiliar data on networks, which can make it difficult for network security tools to identify when an attack is inbound against an IoT device.
5. They’re Unfamiliar
Because IoT is so new, many users aren’t familiar with the problems these devices pose and so don’t know how to use them securely. Many existing enterprise physical and IT security tools are not well-equipped to manage IoT devices either. They were designed for the previous generation of technology where all that mattered was threats to laptops, desktops, and servers.
Companies may have a hard time even hiring new IT and physical security staff familiar with all of these problems. They likely will need to train their existing staff on how best to use and secure IoT assets.
6. IoT Devices Create Unexpected Security Convergences
Nearly 33 percent of all cybersecurity compromises now occur on IoT devices. For that reason, the two major US-based IT security standards bodies, NIST and CIS, both publish frameworks for IoT device management:
But those frameworks are exclusively about cybersecurity, not physical security. IoT devices are a point of security convergence, where those two historically separate security programs now overlap. Managing IoT security requires a coordinated effort from all of a business’s different security programs.
7. You Might Not Have a Proper Intake Process
Another consequence of IoT technology still being so new is that businesses don’t often have good administrative processes in place to bring them into the organization. IT departments lean on automatic discovery tools, which can find and inventory new assets over the network, but those tools often only work for laptops and devices such as tablets and smartphones.
To be proactive, businesses should develop their own intake processes. For IoT devices, these will need to include some combination of new policies, training, and management technology, such as smart locker systems, for tracking mobile IoT assets.
8. You Also Might Not Have a Decommissioning Process
Your decommissioning process for IoT devices needs to involve more than just tossing them in the trash. IoT devices store information about physical and network assets that they are connected to, including proprietary information about your organization and user credentials. This information needs to be wiped or made inaccessible for an IoT device to be safely disposed of when it reaches the end of its lifecycle.
Inventory software, such as that integrated into smart locker systems, can help keep track of equipment warranties and lifecycles. Some locker systems can even be customized to send warning emails to administrators when lifecycle ends dates approach.
Take Action Today
So what can you do about these IoT security problems? We recommend a few different solutions.
Inventory Your IoT Devices
First, you need to know what you already have. Start your new IoT asset management program by inventorying every single device currently in use in your organization. Get every single device, managed or unmanaged, into a tracking system.
Conduct Security Training
Technical staff and regular business users alike need to be more aware of the risks involved in running insecure IoT devices. The day will come when IoT security best practices are common knowledge, but until then, we need to cultivate a security first mindset. That means conducting thorough training on how to purchase IoT devices, use them responsibly within a business, and safely and securely dispose of them.
Implement Technical Solutions
Businesses need complete visibility over IoT devices in use in their organization. They need to know who has which devices and how those devices are being used.
Ideally, businesses should also look for opportunities to improve existing manual workflows. For example, allow users to flag equipment in need of maintenance when signing it out or returning it to a smart locker system. The system can then prompt the user to deposit the device in a specially designated maintenance locker and notify service technicians to retrieve it.
Good IoT Security Is Up to You
If manufacturers aren’t going to prioritize IoT security, then it is up to business users to protect themselves. IoT devices may help power your business, but managing them requires solid planning, resources, and smart technology.
About the Author
Inge Boubez, Director of Marketing