IoT is everywhere. There are around 15 billion connected devices in the world today. Putting it bluntly, that equals billions of opportunities to launch a cyber-attack. I’m sure we all saw the news at the end of 2016 when IoT cameras were infected with the Mirai malware and turned into ‘bots that were used to disable websites and Internet services.
Will 2017 be the year we hear of the first attack where IoT is used to steal corporate data? This is a threat that has to be taken seriously, as it is very real - now is the time to consider how to improve process, policy and technology for the safer, more productive use of connected devices.
Business IoT is common, but it’s personal devices that are really driving this technology trend – we’re buying everything from storage to desktop gadgets, all of which could be brought into work and connected to the network.
Businesses Use IoT
There are plenty of valid business use cases for IoT, driving both personal and professional effectiveness. We’re familiar with never-empty IoT coffee machines or network-connected printers and lighting – but now we’re seeing integrations with scheduling or email allowing IoT-enabled meeting rooms which are available on demand, or tagging assets to enable just-in-time order processes.
All these devices need network access, and many will require Internet access for cloud storage of data and configuration. They will also be connected to the company network, which has the potential of exposing the network – a compromised coffee machine may be frustrating for users needing a caffeine fix, but the breach could also expose the network and corporate data to a targeted attack.
When we design infrastructure for enterprise IoT, it’s important that these devices are treated as a threat risk from the outset. Whereas a laptop or tablet has layered protection against malware, we may not want to assume that this is the case with IoT devices. It’s critical for users to understand how these devices will access the Internet, what services will be necessary and which are just nice-to-have, and how they will receive updates. We need to remain in control of IoT on the network, and not let IoT take control of the network.
Personal IoT Devices
We all love our personal IoT devices; they are fun, they are cool and they are the future. The device itself may be innocuous and sometimes even personally beneficial. However, these devices connect to cloud services and, without the proper security settings, they have the potential to expose a corporate network, providing opportunity for anyone planning a socially-engineered and targeted attack.
Now is the time to create policies for the use of IoT devices. We cannot afford to be naive about their use - it is happening. People have personal back-up drives, cameras, gaming devices, and fitness devices, so it is critically important to ensure that your business is prepared and protected. You really only have three choices.
Ban: Do not allow any use of IoT at work: Unless you are in a government organisation, an air-gapped business, or have never allowed personal electronics, this may not be a practical solution. Banning IoT altogether could drive it further into the shadows. People will use it just outside the office, in the car-park, or in the washroom. And worse, not knowing means not seeing, so a total lack of visibility may be the result. Banning altogether could make you even more vulnerable should an attack occur.
Ignore: Allow use of IoT with no supervision: This response is equivalent to an ostrich burying its head in the sand – it ignores reality and is highly risky. Allowing the use of any IoT device makes it impossible to track, and in turn, when a breach occurs, it will be difficult to detect. This approach is definitely not recommended.
Allow: But implement security awareness for users: This will likely be the best response for most enterprises. By implementing good, and regular, security awareness training for users, they become more aware of the risks and better capable of applying a form of security (strong passwords, disabling Internet management). Devices will be visible and protected because they are in plain-sight. There may be devices which are not allowed on the corporate network, but these will be the exception, not the rule. People will come to understand.
I hope that in this blog I’ve conveyed that while as useful as IoT can be, there are risks. Juniper Networks wants everyone to enjoy IoT safely by using security technology that provides the earliest possible warning of malware by monitoring from the network. Juniper Networks Sky ATP advanced malware defence , which is integrated into our next gen SRX series firewalls, does exactly this. It enables faster and more accurate detection and remediation from threats than standalone security appliances or firewalls alone.
So, to answer the question posed at the start– ‘Will the enterprise welcome connected devices?’ - well, in fact you won’t have a choice as IoT is inevitable. Where you do have a choice is how you protect yourself from those connected devices and ensure that IoT doesn’t equal “Internet of Threats.”
If you enjoyed reading this blog and would like to read related security blogs please visit here