Most customers aren’t confident that Internet of Things (IoT) devices are secure, even though Amazon Echo and Google Home fly off the shelves. No wonder you’re worried about all those devices being deployed across your organization—it’s hard enough protecting your IT environment as it is.
Gemalto found “90 percent of consumers lack confidence in the security of the Internet of Things devices,” and device manufacturers only spend 11 percent of their budget on securing their product. Although businesses may be wary of the potential security holes, the Internet of Things Institute says adoption isn’t slowing—it predicts enterprises, in particular, will see security breaches as a cost of conducting business while stepping up their defences.
Just as Bring Your Own Device (BYOD) practices added new attack vectors, IoT creates a new landscape of potential targets. Simon Jones, evangelist at Cedexis, sums up the reality of security in 2018 quite succinctly for the IoT Institute: “…traditional defence mechanisms will fold like a deck of cards, and breaches will come thick and fast.”
If “I have a bad feeling about this!” is your immediate response, you’re not alone. But just like BYOD, the coming avalanche of devices doesn’t have to mean one security breach after another.
Apply the same rules
Although it may seem like an entirely new ball game, the Department of Homeland Security (DHS) suggests you divide and conquer to ensure security is prioritized at your organization by applying tried-and-true methods:
- Take advantage of proven security practices: Those that already have a good track record in traditional IT and network applications can bolster your device security, too.
- Prioritize based on potential impact: Security measures for each application should align with the potential disruption to your business and the magnitude of consequences.
- Know your landscape: Transparency across your supply chain is critical—you must understand the vulnerabilities of third-party devices.
- Be choosy with your connections: You should connect carefully and deliberately and think about whether a device really needs continuous connectivity. Balance the usefulness of the device with the consequences of a security breach.
Remember: IoT security differs depending on the environment. A factory floor handles different data and contends with different vulnerabilities than a chain of retail stores. Invariably, the consequences of a breach are similar—namely, disruption to business operations, a hit to your reputation, and a loss of revenue.
Manage it like mobile
The early days of BYOD gave birth to mobile device management, so just as vendors came out with offerings to corral and secure personal smartphones and tablets connecting to the Wi-Fi, new tools are emerging to manage an even more diverse set of devices.
Major cloud platforms, for instance, realize their customers ingest massive amounts of data via distributed devices, such as sensors, cameras, and specialized equipment, so they now provide comprehensive device management and security solutions. And with the cloud, it’s not necessary to deploy on-premise software to manage every device. HP Device as a Service (DaaS), for example, lets you offload the time-consuming tasks of device support and lifecycle management. It’s also easy to apply security polices and enforce them across a wide range of devices from a central dashboard.
Where’s the money gonna come from?
It’s not that organizations aren’t throwing money at IT security—Gartner forecasts that worldwide spending on information security products and services will grow to CAD$115 billion in 2018—but your boss will demand value for dollars. The good news is that cloud-based tools, such as HP DaaS, can come at a fixed, predictable monthly cost. However, you still need to convince the C-suite to give you the budget, and reading a list of what you need and why won’t get you far. You must frame security in the language of business.
Your job is to articulate the consequences of a security breach—and emphasize that it’s a matter of when, not if, one will happen. Strategy consulting firm Altman Vilandrie & Company found 48 percent of firms surveyed have experienced an IoT security breach at least once. The consequences of these security failures can be critical, costing smaller companies more than 13 percent of their total revenue; larger companies take a hit upward of tens of millions of dollars.
These security breaches are avoidable. Altman Vilandrie & Company found companies that hadn’t suffered a security failure invested 65 percent more on security than firms that have been breached. There’s your ROI for the C-suite right there.
Test and test again
As technology gets more advanced, so do hackers and botnets, and they are relentless. Further complicating matters is this onslaught of devices exacerbates a problem first created by BYOD: a permeable perimeter. It’s not enough to set up firewalls and anti-virus technologies.
A 451 Research white paper commissioned by BlackBerry Limited that surveyed IT decision-makers found that huge deployment opportunities are balanced against significant cybersecurity concerns. As noted by BlackBerry’s chief operating officer, the proliferation of devices is led by enterprises, and the expanding adoption of connected things means companies are only as secure as their most vulnerable endpoint.
Not only do you need a unified endpoint management strategy that can scale to handle billions of connected devices, your penetration testing must now extend to your devices, which add an additional level of complexity, because there’s more hardware, software, and communication protocols involved. But the benefits of penetration testing go beyond just seeing if anyone can break your network security: It protects against unauthorized usage, enhances user and data privacy, sets strong encryption, and strengthens device security.
IoT is quickly becoming a fact of life. In the short term, securing it will be a big headache, but the sooner you start addressing this need, the better. Down the road, your business—and its IT environment—will thank you for the extra layers of security.