By 2020, the installed base of Internet of Things devices is forecast to grow to almost 31 billion worldwide. More than 65 percent of enterprises will be deploying IoT products by that year, according to a report by Gartner.
In its IoT analysis, Gartner (News - Alert) notes that major distributed denial of service attacks have occurred because cybercriminals were able to exploit security weaknesses of thousands of IoT devices. And as Gartner warns, with the proliferation of these devices, these DDoS events will escalate.
As enterprises step up their use of IoT devices, they need to put into place the same level of strenuous security measures they use to protect all their other hardware, software, or data assets. The most effective way to help prevent cyberattacks is to treat every IoT device as a possible threat.
That may sound dramatic but, as Gartner also notes, by 2020 more than 25 percent of identified attacks in enterprises will involve IoT, although IoT will account for less than 10 percent of IT security budgets.
Applying Secure Asset Management Practices to IoT
In protecting against threats in the enterprise, you have to begin at the beginning: getting a clear, manageable picture of all the IoT devices, both authorized and rogue, that your employees and contractors are using in the course of their work. Then you need to apply the most powerful security measures available to further ensure use of these IoT devices will not invite cyberattacks into your network.
Start with these five practices to gain control and secure your IoT device assets.
Create an IoT Security Squad. Many enterprises now have dedicated security executives who often are siloed from traditional IT departments. To be most effective, security, IT, and asset management teams need to collaborate closely on managing and securing all IoT devices. For example, the asset management team has to be aware of any new security initiatives to work with IT to help integrate IoT devices with these security solutions.
Apply Thorough Discovery to IoT Devices. Just as you inventory other hardware assets, you need to apply network discovery tools to discover all IoT devices on your network. These devices should have a serial number and be tracked in any location. A good example of what happens when devices are not where they’re supposed to be is an incident that happened at Heathrow Airport last year, in which a USB stick was found on the pavement and turned out to have 2.5GB of unencrypted data relating to security protocols, including those to be used if the Queen is passing through the airport. This particular security breach had a relatively happy ending when the device was turned over to the proper authorities, but consider the potential this had for risk, ransomware and public safety.
Enforce Encryption-No Exceptions. As the Heathrow Airport incident made clear, unencrypted data is the security nightmare we all want to avoid. The vast array of IoT devices starting to become more popular in day-to-day business use need to be subject to data security governance. This means rogue devices with unencrypted data are not welcome on your network. Employees cannot be using their own flash sticks and downloading information to that drive, data which may not be secure and encrypted. It is imperative to centrally encrypt all removable devices (such as USB flash drives) in your inventory, plus enforce encryption policies when copying to devices/media.
Rein in the Rogues! As for rogue devices, one security measure to put into place right away is access control software that focuses on the data. You can define rules to prevent any program (other than those you specify) to modify critical or sensitive documents or files. For example, a rule that allows only Microsoft (News - Alert) Word to modify .doc and .docx files will deny any attempt from successfully installed ransomware to encrypt any such files.
Follow the Moving IoT Security Target (News - Alert). NSA leaks are the classic example of what happens when we don’t know where all our devices are at the moment, and what employees are doing with them. Over a three-year period, NSA contractors were able to walk out with classified data that was not supposed to leave the perimeter of the facility. IoT – and all mobile or remote devices – present the same security challenges to the enterprise. You need to implement user-context aware security practices that can look at where the person is working, how they are working, and what they’re working on, to determine which applications they can execute.
In a perfect world, we would ensure all sensitive data is encrypted, all rogue devices are eliminated, and employees know better than to bring home sensitive data and use their own devices. Meanwhile, we can improve security by implementing a solid asset management program for IoT devices, to have an accurate view of inventory, and to prevent rogue devices from threatening the network. Access control to prevent files being encrypted with ransomware, and application control to stop devices outside the authorized geo-location from executing applications, are two other must-do steps. This gives you the foundation to fight the inevitable next round of cyberattacks.
About the author: Phil Merson is director of IT asset management at Ivanti (www.ivanti.com).