The Internet of Things (IoT), sometimes called the Internet of Everything (IoE), is already here. It’s not something we can “deal with in the future.” Instead, corporate IT departments need to focus on the IoT now – addressing both the IT management and security implications, as IoT devices are a different breed of device to traditional IT infrastructure.
However, the responsibility for IoT security doesn’t just lie with corporate IT departments. The IoT industry – especially the vendors that produce and sell IoT devices and solutions – also needs to up their game. And thankfully, many are finally recognizing that their security track record has been poor and that they must improve.
IoT Security Mistakes Make Headlines
High profile IoT security breach cases, such as the TRENDnet settlement with the US Federal Trade Commission (FTC), have seen to this – with TRENDnet’s so called SecurView Home CCTV system having allowed strangers to see, and sometimes listen into, over 700 home security camera feeds because of their poor security practices.
FTC Chairwoman, Edith Ramirez, summed up the challenge for all IoT vendors, and both consumer and corporate purchasers of IoT devices: “The Internet of Things holds great promise for innovative consumer products and services. But consumer privacy and security must remain a priority as companies develop more devices that connect to the Internet.”
The FTC also established a precedent for what might be the first kind of security standard in the IoT industry – the prioritization of security, confidentiality, and privacy over the rush to market and convenience.
What the IoT Industry Needs to Do
The IoT industry has a large part to play in mitigating IoT dangers for both corporate and consumer scenarios. In particular, IoT device producers and sellers need to place security, confidentiality, and privacy at the top of their IoT product plans – building security into the design from day one. They also need to avoid overstating, overselling, or misrepresenting the security features of their products, or how much control the user has over security.
The IoT industry needs to ensure that their IoT systems follow basic security best practices, including allowing the buyer to set a unique and complex password – also to ensure that their IoT systems can be upgraded to patch them against new known security exploits. The industry also needs to recognize that it’s better to be open than closed in most cases – that transparency can improve their products and trust-standing with consumers.
Finally, they should employ IoT and IT security professionals, including hackers – offering rewards to people for finding vulnerabilities in their products.
What Corporate IT Departments Need to Do
Firstly, corporate IT departments need to open their eyes to the inherent IoT security risks that are already in play. For example, an independent security organization recently scanned the 900 MHz bandwidth used by IoT wireless devices and found, to their client’s disbelief, that the client’s building HVAC (heating, ventilating, and air conditioning) was IoT-connected. The client didn’t know this, and wasn’t responsible for their security. The HVAC devices also had default passwords and very little by way of security.
If a hacker had gained control of these IoT devices, then they could have caused potential business damage – remember that the very public Target security breach included the use of credentials stolen from one of Target’s HVAC providers.
So to help mitigate the risks associated with the IoT, corporate IT departments should create and enforce an overarching IoT security policy – yes, it’s a no-brainer. The Chief Security Officer must also endorse and fund the implementation of lower-level IoT security policies and education. IT departments should also create and employ IoT procurement standards – ensuring that all IoT device purchases go through formal procurement procedures which are based on the most current expert advice. They should also consider running a collaborative IoT project with external experts – never assume that existing, internal knowledge is enough.
IT departments should regularly maintain and patch their IoT devices, looking for available updates and applying them; and run regular security routines, scanning offices and other building facilities for IoT devices, preferably with constant monitoring. They need to build up a known map of what is “normal” with accountable people identified for each IoT device network – investigating network abnormalities as they arise.
Finally, corporate IT departments need to know what to do when they’ve been breached – it’s not difficult, they just need a plan and a formal set of practices for responding to IoT security breaches.[su_box title=”About Sarah Lahav” style=”noise” box_color=”#336588″]
SysAid Technologies’ first employee, Sarah is now CEO and a vital link between SysAid and its customers since 2003. As CEO, she takes a hands-on role evolving SysAid with the dynamic needs of service managers. Previously, Sarah was VP Customer Relations at SysAid and developed SysAid’s Certification Training program, advancing the teaching methods and training technology that is in place today.
Sarah holds a B.Sc. in Industrial Engineering, specializing in Information Technology from The Open University in Israel, and spends her free time with her three beautiful children.[/su_box]
CEO, SysAid Technologies
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.