Analysis from ABI Research for Verizon has shown that the ever growing number of IOT devices is expected to surge from 1.2 billion devices in 2015 to 5.4 billion connected devices worldwide by 2020. This dramatic growth also brings with itheightened security risks. 72 percent of security experts surveyed for ISACS’S 2015 IT Risk / Reward Barometer, said they feel device manufacturers are failing to implement satisfactory security measures in IOT devices, and 73 percent said the current security standards in the industry do not sufficiently address IoT specific security concerns.
The figures highlight a serious risk. And the severity of the risk is further underlined by the assertion that 56 per cent out the sample that their organisation’s IT department is not aware of all its connected devices.
The complex boundaries between home and office life is raising the stakes and making it even harder for IT to exercise control. One of the first questions many new employees ask when joining an organisation is “how can I connect my mobile phone up to the corporate email?” It increases the connectivity of the organisation, of course and drives enhanced productivity but it also means they are bringing new levels of insecurity into the business.
Extensive Threats
This is the key challenge that every company today is having to wrestle with, as the Internet of Things continues its onward march. They may decide they want to have a trust-based business model that drives flexibility but they can’t afford for that stance to negatively impact the security of their business.
Organisations should really ask themselves – first, do they allow this expansion of the corporate Internet of Things at all? Second, if they do, what corresponding security do they impose on the individual?The use of personal mobile phones in the office environment is an issue in itself. Most people only usea simple password on their phones and its relatively easy for anyone to replicate them, or effectively socially engineer that person into releasing information they should not.
Equally too, once a personal device has become connected to the network and that individual leaves the business, he or she will take those emails and contacts with them. If the business does allow this to happen, there has to be a policythat gives the company rights, if needed, to access that individual’s phone and remove all corporate information. Alternatively, the company will need to employ technology, allowing it to remotely wipe all of the business contents on the phone.
But the threat posed by the Internet of Things extends beyond the simple mobile phone. The potential risks are everywhere. The latest vogue is for connected smart TVs in the company boardroom. The most cutting edge are voice activated but have you stopped to consider the security ramifications? The voice recognition capability is typically on the Internet rather than the device itself so private conversations conducted in the room
while the device is on could be being transmitted externally. Corporate laptops connected up to home networks will almost certainly be subject to less stringent security controls than when used in the office environment and therefore more prone to viruses and phishing attacks. The latest camera phones, computer apps and intelligent personal assistants bring additional concerns.
Get the Balance Right
It’s important to put this in perspective, of course. Movements like home and remote working; BYOD and the Internet of Things have transformed the business environment, bringing enhanced flexibility, operational efficiency and raised productivity. Too many restrictions can stymie those developments, making home working less flexible and productive and negatively impacting morale.
That said, in today’s increasingly Internet of Things enabled age, businesses must put certain ground rules in place to ensure that their security is never compromised.Technology can only go so far but if that technology is open or insecure then you run the risk of letting something onto the network that you really shouldn’t from Internet-enabled cameras to smart TVs to a host of other uncertified devices. Best practice would be to implement technology to prevent any interaction with bad websites and exploited locations, for example. But before you do this, you need to put policies in place. Any new device plugged into the corporate network should be authorised. Moreover, visitors to the business should only be allowed onto a guest network (which should also be time-limited to prevent repeated use of company resources over time.) Contractors should never be allowed to come in with their own hardware; connect it up; and do what they want on your network. When you look at the issue of security, the motto should be ‘if you don’t know, the answer is no’. The Internet of Things is about convenience and increased capability but if you want to take advantage of its benefits, you need to remain aware of its risks and make sure you don’t fall foul of the hidden dangers.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.