The Internet of Things and quantified-self movements have led to an explosion of interesting gadgets for consumers and households. But Internet-enabled devices have also started to create more meaningful and easier work experiences, and we expect to see more and more connected devices being used in the workplace.
But what is the security impact of the IoT inside company ‘walls’?
More gateways of intrusion
Many of the challenges inherent to IoT are similar to those found in BYOD environment. This is because the IoT is really the evolution of several technologies that have been here for some time now: mobile devices, cloud, sensors, and big data.
Unfortunately, embedded operating systems are often not designed with security as a primary consideration, thus, some IoT devices are vulnerable and the attack surface widens. Most devices are pushed to the market with vulnerabilities related to weak authentication, insecure password recovery mechanisms or faulty encryption for data in transit. These can be exploited to hack the device itself, but more importantly to get access to other network-connected devices and the trove of data they carry.
Every IoT-connected device, be it an employee’s wearable, industrial controls or a smart vending machine can act as a backdoor for attackers into the enterprise.
Lack of standardization
The IoT landscape is fractured by the diversity of the market itself. Some IoT vendors have focused on standardizing APIs – the market for home-automation tools, for example- but there are still as many standards as there are devices. Due to the nascent nature of the IoT ecosystem and the different levels of maturity and complexity of different industries, it’s very difficult to envision how or when it will be properly regulated.
IoT players need to continue joining forces to develop formal and informal standards for apps, to enhance interoperability across industrial environments and make data easily shareable.
Big data and privacy issues
Highly regulated and tightly controlled buildings are collecting gigabytes of data on how its employees interact – from energy use to emails, location, time spent outside and who they talk to. This creates a continuous picture of office life. But isn’t this an invasion of workers’ privacy?
The cloud also brings its share of privacy concerns as it plays a key role the IoT ecosystem. In a device-to-cloud communication model, the IoT device connects directly to an Internet cloud service (an application service provider) to exchange data and control message traffic.
The fact is that corporate executives are still hesitant about storing confidential business information with third-party cloud services. Especially since SMBs are starting to recognise the value of their data. Despite their size, they can handle valuable information, such as intellectual property, personal information about customers, bank account numbers and credit card data.
The key issue that still makes executives ponder the use of cloud technologies concerns liability.
Cloud services are often hosted in one country and used in others. Service providers may use data centers scattered around the globe, so companies may feel uncertain of the location of their data. In addition, there may be issues of legal jurisdiction in the event of a dispute and uncertainty about the applicable law. Thus, a security breach becomes more than a technical problem, but one of liability and accountability as well. Not surprisingly, 70% of businesses want to work with a cloud implementation provider that offers a single point of accountability – this means making a single person accountable for the whole process.
Shift of paradigm
The IoT forces companies to think outside the box. Many organizations secure the back-end of the IoT infrastructure that is running in the data center, but not the IoT device itself, or the application that remotely manages the device.
Needless to say, security must be addressed at all levels of the network, taking into account even the smallest connected devices. Given the diversity of devices, every business should build its approach to IoT security on these five pillars:
- Manage cybersecurity software and physical security solutions together.
- Enforce security policies tailored to the IoT environment.
- Conduct customized risk assessments to identify risks and how best to contain them.
- Implement a specialized, multi-layered IT security solution to protect all nodes on the corporate network, including against Internet threats and data encryption on endpoints.
- Train employees in IT security and office system operation rules to reduce the chances of attackers gaining access to your data through social-engineering techniques.