IoT and security: Hype, hysteria or cause for concern?

Any new technology is bound to have its share of challenges and barriers — for example the initial security concerns around cloud computing — and the Internet of Things (IoT) is no different. With smart devices adding billions of new access points into enterprise systems and communicating with the network, IoT security will be key.

A number of studies have looked at IoT device security, such as research by HP that shows that 70 per cent of IoT devices it tested contained security flaws. But just how big are the security threats?   Potential targets With IoT still in its infancy, it’s difficult to say with certainty what we’re facing. But we can look at what we do know.

Of the projected five billion enterprise devices that will be around in 2020, not all of them will necessarily be Internet-visible, and not all devices will be sending sensitive data. In fact, many of them will be simple devices that have a single function — like a light sensor.

That said, any device that is connected, regardless of whether it’s IoT-enabled, is a potential target for a cyber attack.

The devices themselves may not be the end target (they could be used to carry out malicious activity as part of a botnet attack), but they could be used as a gateway into the broader enterprise network and critical systems.

Don’t panic — the same rules apply IoT is all about making the things around us smarter, but many sensors, especially those embedded in assets, must be frugal. Limitations on space mean that processing power and battery life are often limited.

This means that many sensors aren’t capable of running the endpoint protection capabilities we’re used to seeing in more sophisticated assets, like laptops.

But while some familiar security rules — such as applying anti-virus to all endpoints — don’t relate to IoT systems, many do:

• Authenticate all IoT connections. Digital certificates provide a robust solution without compromising practical operation

• Ensure that patches are applied to IoT devices promptly. The 2016 DBIR found that most attacks exploited known vulnerabilities where a patch has been available for months, often years. You don’t want to have to rely on manual methods to keep hundreds or thousands of devices up to date. Investigate secure methods to deploy updates automatically

• Only collect the information that you need from IoT devices, and dispose of it securely when you no longer need it. If you don’t have it, it can’t be stolen

• Encrypt sensitive IoT data. Encryption won’t stop criminals from stealing your data, but it will make it a lot harder for them to do anything damaging with it

• Segment IoT networks and systems to limit the spread and damage of any attack. You don’t want a breach of a relatively innocuous sensor to lead to the compromise of your Connected Device or enterprise systems.

That said, any device that is connected, regardless of whether it’s IoT-enabled, is a potential target for a cyber attack.

Segmentation will also help reduce the amount of sensitive information criminals can exfiltrate   Don’t Cut Corners As IoT devices become more widespread and more closely integrated with core enterprise systems, the more important it is that security is made paramount from the start.

Just as with any other IT system, organisations should regularly assess the risk, apply appropriate security measures, and test their effectiveness.

Robert Le Busque is the Managing Director of Sales Operations and Strategy at Verizon Enterprise Solutions. He is responsible for all aspects of strategy, operations and planning functions for the Asia Pacific, Europe, Middle East, Africa and Latin American regions.