The Internet of Things (IoT) is no longer some futuristic thing that’s years off from being something IT leaders need to be concerned with. The IoT era has arrived. In fact, Gartner forecasts there will be 20.4 billion connected devices globally by 2020.
An alternative proof point is the fact that when I talk with people about their company's IoT plans, they don’t look at me like a deer in headlights as they did a few years ago. In fact, often the term “IoT” doesn’t even come up. Businesses are connecting more “things” to create new processes, improve efficiency, or improve customer service.
As they do, though, new security challenges arise. One of which is there's no “easy button.” IT professionals can’t just deploy some kind of black box and have everything be protected. Securing the IoT is a multi-faceted problem with many factors to consider, and it must be built into any IoT plan.
Top challenges associated with securing IoT endpoints
- Physical security is overlooked. Businesses devote a significant amount of time and energy to cybersecurity. However, physical security is often an afterthought or overlooked altogether. Devices need to be protected against theft or hacking of the hardware. Because IoT is often deployed by non-IT individuals, there can be many devices that IT departments are unaware of. These unknown devices can be breached from a console or USB port and create backdoors into other networks. IT and cybersecurity teams need a better way of automating the discovery of IoT endpoints.
- Traditional security doesn’t work with IoT. Today’s cybersecurity is primarily focused on protecting the perimeter of a network with a large, expensive firewall, but ZK Research found only 27 percent of breaches occur there. (Note: I am an employee of ZK Research.) Although firewalls are still required to protect the network, IoT devices enable breaches to occur inside the network. IoT requires organizations to rethink their security strategies and focus on the internal network. Another factor with IoT devices is that many connect back to a cloud service to provide status updates or provide other information. This punches a legitimate but hackable hole through the firewall from the inside.
- Many IoT devices are inherently insecure. Most IT endpoints such as PCs and mobile devices have some embedded security capabilities or can have an agent placed on them. While many IoT devices have old operating systems, embedded passwords, and no ability to be secured by a resident agent. This underscores the importance of rethinking security in a world where everything is connected. If the endpoint can’t be secured, then protection needs to move to the network.
- Cybersecurity is growing in complexity. Protecting against external threats used to be a straightforward process: Place a state-of-the-art firewall at the perimeter, and trust everything inside of the network. That made sense when all the applications and endpoints were under the control of the IT department. Today, however, workers bring in their own devices, and the use of cloud services is extensive, creating new entry points. To combat this, security teams have been deploying more niche point products, which often increases the level of complexity. My research has found that organizations use an average of 32 security vendors, and this number is growing — leading to an environment that is becoming increasingly complex and less secure. Also, IT departments struggle today to manage the current set of connected devices. Adding three to five times more endpoints will overwhelm many security teams.
- The number of blind spots has exploded. Cobbling together a patchwork of security tools from different vendors may seem like a sound strategy, as each device was meant to solve a specific problem. However, this approach leaves massive blind spots because the devices have little to no communications among them. Also, this architecture lacks automation, so the configuration of these devices must be done one at a time, meaning changes can often take months to implement. This delay puts organizations at serious risk.
Failure to have a comprehensive IoT strategy puts businesses at risk
It’s important to understand how big the risk is of not having a comprehensive IoT security strategy. Success with IoT requires a number of processes work together. A breach at any point can cause an outage and a possible loss of sensitive data. In many verticals, such as healthcare, state and local government, manufacturing and banking, IoT services are mission critical, so any kind of outage can cost companies millions. Indeed, in May 2016, the Ponemon Institute found the average cost of a data breach to be $3.62 million, up from $3.5 million in 2015.
There is tremendous business value in IoT, and I strongly recommend businesses be aggressive with deployments. However, I also advise building security into the plan instead of trying to implement it after deployment.
Thanks to Zeus Kerravala (see source)