The Internet of Things (IoT)—whether at home via connected refrigerators, thermostats and home security systems or in a corporate campus with Internet-enabled door locks, lightbulbs and supply chain beacons—promises future advantages that strain the imaginations of our technologists and futurists.
The potential of this technology is incredible and we have yet to truly tap into the benefits of a completely connected world.
Pumping the Breaks on IoT
However, that’s not to paint a completely rosy picture of IoT. Most are familiar with the risk factors of these devices, especially with the recent massive botnet-driven DDoS attack. It almost goes without saying that deeper connections mean more exploitable endpoints. This is obvious when you consider they weren’t built with security in mind. Without regulation or oversight, IoT device manufacturers are rushing to market, creating a nightmare for security professionals.
And there’s no hint of a slowdown in this market as the spirit of convenience takes hold and the risks, at least in the consumer’s eyes, get downplayed let alone addressed in a meaningful way.
So Long, Privacy
This is where the risks get amplified. While we’re focused on network security, which is a priority, and equally important vulnerability has developed regarding privacy.
Much like the adage of a picture being worth a thousand words, in a data-driven world individuals and organizations are worth thousands of data points. With this wealth of information being traded between interconnected devices, privacy almost becomes an outdated concept, especially for enterprises.
Without institutional control, the myriad devices brought into the workplace create vulnerabilities, unintentionally removing the security safeguards you worked so hard to institute. We’ve already seen proof that internet-enabled HVAC systems, like the Nest thermostat, can be compromised, providing threat actors with unblocked access to your daily operations.
So, What’s the Solution?
Well, there isn’t an easy solution. The challenges of IoT are unlike anything our industry has faced. We’ve dealt with connected devices in the past, i.e. Wi-Fi-enabled printers. However, the functionality, and therefore vulnerability, of this new wave of technology, is simply too much of quickly overcome, particularly when so many organizations struggle to prioritize security
It’s not all doom and gloom. This may be an unprecedented challenge, but that’s not to say it can’t be overcome by implementing and following common sense security practices. It starts with the manufacturers. They need to understand the risks their devices pose to the public and ensure that they build in secure communications protocols and make sure that their APIs and other interfaces are built and implemented securely. There are ample tools and information available to guide and assist them with this. They also need to be more clear and concise with regards to the data they are collecting and how they are using and sharing it. Too often privacy policies follow the construct of click-through terms of service and are too long and confusing for anyone to understand.
We, the public, also have to start demanding better security and we can do that by only buying and supporting those vendors who produce secure devices and are very clear with us about what data they are collecting and how they are using it. This type of economic pressure is far more effective than more government regulation.
Finally, security professionals need to better understand how these devices operate and connect, what information they are gathering and then ensure that they get integrated into their environments with proper segmentation and authentication. Many of the same controls we use every day to secure other devices in our environments can effectively be used with IoT devices.