Understanding the IoT Security Threat Vector
The purpose of security is to eliminate all possible entry points into business. While technological advances in Internet of Things (IoT) is exciting, it reveals a number of security risks for a small and medium business. The basis of these risks is IoT can exponentially increase the number of entry points into the business. As a result, new rules and controls must be established to protect companies from outside forces.
IoT is still relatively new in the marketplace and stands on the idea that electronic devices can talk to each other provided they have a sufficient CPU, memory and wireless communication capability. Because of miniaturization, every device can be computerized. Basic radio frequency identification (RFID) chips can be attached to shipments to communicate location, temperature or any other measureable variable; thus making a package a IoT device. The advantage is simple in a business setting: a person at a workstation can have electronic access to the printer, copier, coffee maker or whatever is IoT compatible without additional cabling or configurations. IoT allows communication between smartphones, wearable devices, computers, tablets and a myriad of other devices which may not be assets of the company.
While IoT capabilities have their advantage, every device is now a miniature computer and therefore hackable. This presents some potentially serious issues for small to medium businesses. Fortunately, IoT security is a major concern for all businesses regardless of size and governments; so a number of initiatives are in progress to correct any potential security flaws.
IoT devices are always on and always connected. They are subjected to a one-time authentication process in contrast to user-controlled devices that typically require authentication every time a user logs on. While the company has controlled of how many IoT devices they manage within the network, most employees and customers are likely to walk through the door with at least one or two IoT devices on their person. All of these circumstances make IoT devices a perfect conduit for electronic infiltration into the business. The solution is rather simple but requires some investment in time and resources: gateways into the network require more security. One possible security control is to restrict access to the business network to only authorized devices controlled by the company.
IoT devices create a large amount of data from shipping information to equipment monitoring. This data can include sensitive information that must be protected, including customer information. A properly developed data use policy is the first place to start before adopting IoT. A data use policy will define the security classifications for all data, who can access the data and under what conditions. Most companies may already have such a policy but it should be reviewed and updated based on current knowledge and concerns about IoT.
Small and medium businesses are typically strapped financially and current IT departments are unlikely to have a rich understanding of IoT and its pros and cons. For this reason, SMBs should consider partnering with a partner who has greater experience in this area. Security tests of the IoT solution can identify potential vulnerabilities. Some partners may be able to provide a managed testing and evaluation service to review all proposed devices being considered for deployment.
IoT is the new frontier for business. Few companies have the finances or the resources to carry out an IoT initiative; therefore, very few companies may understand how best to security IoT. Everything is new and dangerous until IoT becomes a common technology within the business landscape. No ‘magic bullet’ exists for securing a SMB from IoT vulnerabilities. Understanding those vulnerabilities is the first step to establishing better security. Controlling what devices actually touch the network is another step. Securing the data generated or used by IoT devices is a third step.