Gartner defines the Internet of Things (IoT) as a network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.
But today’s IoT is very different from the IoT of a few decades back. IoT today is no longer just about backend systems with the goal of operational improvement. There are now IoT projects with business objectives for improving revenue and customer experience.
As enterprises embed more IoT into front and backend processes, security needs to be revisited taking into consideration IoT digital fingerprints.
The scale of security risks in the Internet of Things (IoT) era is therefore much greater than in the pre-IoT environment, and the “attack surface” is much larger.
Joanne Wong, vice president, International Markets, LogRhythm, says the attack surface is larger because every IoT device serves as a point to the internet, which opens them up to vulnerabilities if they are not properly protected.
She acknowledged that IoT devices are vulnerable. She explained that as more IoT devices go online, the connection to each other, increases the threat vector and access points get amplified.
A different form of risk
Wong acknowledged that the kind of risks posed by IoT devices is different from what IT has been accustomed to grappling with. She added by their nature – that of being widely dispersed – creates broad physical attack surfaces that are difficult to protect.
“In addition, IoT devices management interfaces that allow for remote access over public networks. This makes it easy for hackers to upload rogue firmware or even malware,” suggested Wong.
That IT is starting to get accustomed to dealing with a steady ruse in volume, velocity and variety of data, this is nothing compared to the exponential burst in data that IoT devices can generate.
She alluded to some devices that can contain multiple sensors that collect and transmit data.
Wong feels that some organisations are not equipped to handle or store this data securely – presenting new vulnerabilities ripe for cybercriminals to pick on.
IoT risk strategies – not ready for primetime
IoT devices have been in the enterprise since 2004. That was the year when BYOD or Bring Your Own Device became a part of Gartner's Taxonomy.
Are we saying that in the 17 years since IoT was introduced into the enterprise with our smartphones, not much has been done to improve the security of IoT devices, as used behind enterprise's firewalls?
Wong says the depth at which IoT devices have been integrated into every personal and work environments easily overwhelms anyone’s ability to be ready against attacks.
The spike in cyberattacks in 2020 following the massive migration to work from home environments illustrate the enormity of the challenge to the CIO, CISO, IT team and the organisation in general.
Conventional approach just won’t cut it
Wong acknowledged that current approaches to cybersecurity, including firewalls and anti-virus solutions, are not robust enough to ensure and safeguard IoT today.
“Conventional security solutions cannot scale to normal security processes to accommodate for the pervasive digital presence presented by the huge number of IoT devices,” she opined.
“A better approach is to make any risk visible and transparent and to prioritise your assessment and mitigation based just on the risk to the enterprise.”
Strength in numbers can be a deterrent
According to Wong, the multitude of techniques, strategies, and even tools that are used to protect IoT devices are meant to serve as a deterrent against malicious cybercriminals. She believes that if these cannot completely deter cybercriminals, at least they will have a harder time hacking into these devices to gain access to the broader network.
The work to secure an IoT world has only begun.
Ruggero Contu, research director at Gartner, said: “We expect to see demand for tools and services aimed at improving discovery and asset management, software and hardware security assessment, and penetration testing.”
Click on the PodChat player and listen to Wong share her opinions on the evolving security landscape amid the proliferation of IoT devices behind the enterprise firewall.
Joanne, welcome to PodChats for FutureCIO.
- Please define security as it relates to the Internet of Things.
- Just how vulnerable are IoT devices to attacks?
- What makes IoT risks different from that of typical IT systems?
- IoT devices have been in enterprises since 2004 (BYOD). Are we saying in the 17 years since IoT were introduced into the enterprise, IT has not done much to improve the security of IoT devices as used behind the enterprise firewall?
- For the CIO or CISO to commit to securing IoT devices in the enterprise, what needs to happen?
- Are conventional IT security solutions compatible with IoT?
- What should enterprises look for when it comes to security solutions to address IoT devices in the network?
