Protecting Your Enterprise from Insecure IoT

Pubished 29th November 2017

This 2nd part in this short series of IoT blogs will cover how to manage the risk from IoT’s within your enterprise.

Did you miss? The Risks of Using IOT in Your Enterprise

A vulnerability programme is key for securing smart devices which are of high complexity and high risk. These programmes help identify and fix weaknesses over time, be it an old operating system or security software. In larger enterprises, it is much harder to manage the amount of weaknesses there may be, therefore programmes like this will help manage this. This shouldn’t be a one off audit of your devices. Consistent and ongoing checks need to occur to maintain a high level of security across all IoT devices for the duration of their lifecycle.

Asset management is another key step enterprises must take in order to secure themselves against attacks. Enterprises have a much better chance of securing themselves if they know exactly what they are working with. IoT entering the building without anyone’s knowledge can be dangerous. If all assets are accounted from, business or personal and categorised by complexity, enterprises can manage their risk much more effectively. If an enterprise sees no clear advantage to an IoT, then it should ask itself why it is even here as it adds nothing but risk.

The final way to decrease risk of attacks comes as an obvious way to many but surprising in execution, and this is create complex passwords. A study by HP stated that 70% of devices did not encrypt communications to the internet and local network and 80% failed to require passwords of sufficient length and complexity.

A holistic approach must also be taken to protect enterprises from the growing threat. An IoT device cannot be isolated. It is part of an ecosystem that may be powering processing data and analytic applications or even the cloud. These various intermediaries can be very complex. For example a single ecosystem could be a business with smart heaters, smart TV’s, printers and audio-visuals which sends data back to a server which is owned externally by a third-party maintenance company or device manufacturer. Hackers could exploit the external companies in order to gain access to the enterprise. This scenario can become even more complicated when enterprises outsource a variety of facilities, as this gives multiple third-party channel opportunities for hackers to penetrate an enterprise. There are however a couple of ways in which enterprises can secure their ecosystem against potential hackers.

One quicker way of reducing hack threat levels is by using network segmentation to limit access given. It is possible for IT to separate risky devices which are connected to the main network, into smaller segmented networks which have additional monitoring and restricted access. This is common in many enterprises already, for example guests may log into a separate WIFI than employees. Segmenting network enterprises effectively isolate certain risks to parts of IT infrastructures.

Another way of reducing risk is through thorough screenings of external or third-party suppliers and contracts. Some enterprises have screened potential suppliers, only opting to go ahead with those which demonstrate a good understanding of cyber security. Contracts will also ensure suppliers and providers are legally bound to protect enterprise confidentiality.

With an estimated 20.4 billion connected things in use worldwide by 2020. The number of IoT devices used by enterprises will more than triple to 7.5 billion. This gives hackers more than triple the amount of devices to access any given enterprise. It is therefore paramount for enterprises to begin to think about their IoT security now before it is too late.