Securing the Internet of Things (IoT) is the great challenge impacting organisations and manufacturers across the world. Often IoT devices, which can range from anything from baby monitors to cameras, even e-cigarettes, are poorly secured with the most basic levels of protection.
These Iot, explained Ofer Amitai, the co-founder and CEO of Portnox, are just “unmanaged devices put on the network by the operations side of our organisation, and they are not patched, they are not running the latest firmware”.
This vulnerability has been exposed numerous times and led to mass distributed denial of service (DDoS) attacks – where hackers access multiple devices to form a malicious botnet. This threat is only going to increase.
Amitai discussed this, and said “to better understand the scope of this the IDC has updated their projection from 30 billion devices, to 200 billion devices by 2020 – the amount of connected devices into the network. So, this is a huge issue and it is going to become even greater as time passes.”
How can organisations secure the IoT?
“Visibility would be the first step to protecting yourself,” said Amitai. “So, knowing about all the devices. Second would be to manage the risk. So, monitor those devices and continuously control that risk. Knowing what services there are on it. Then I would do segmentation of the network, to make sure that those devices are connected to the right place in the network…the last step would be to monitor the behaviour of those devices. So, if something changes with their behaviour then you should react to that immediately. And of course, the last part is control, and automate that control so not just alerting things but taking actions as well. Doing that, as much as you, automatically.”
No one said it would be easy, but it is of vital importance that organisations begin following the advice of security vendors like Portnox. Weak IoT security will leave business’s vulnerable to external intrusion. It is vital they know what internet-connected devices are connected to the network in order to manage the risks they pose.
For example, unsecure IoT devices can cause “IP conflict or some devices can issue the NCP requests or replies and cause network issues on your network,” explains Amitai. “But also security threats, direct security threats where those devices can act like a Trojan to your network. Or, someone can hijack that device and then either violate your privacy or cause some denial or service for your crown jewels for your organisation.”
No one is going to stop using these devices. Indeed, they are not fundamental to how business and the world operates. “The ability to work from different places, to work from WeWork, to work from those shared work spaces is something which becomes a new reality,” said Amitai. “And again, enhance the productivity of people, and allows new options and new freedom to everyone.”
“With that comes the risk of working from unsecured environments, from places that are much more exposed to risk. Having an endpoint without a firewall, without an anti-malware, without a protection against ransomware, which is not running the latest patches in such unsecure places in those shared workspaces can be a huge threat to organisations. You need to control that risk, and put a line in the sand of where you want to better put the emphasis on whether you allow people to connect to your VPN, for example, without an anti-virus or not. And that’s I think one of the challenges of this new workspace, this new space to work in this dynamic BYOD environment.”
In a concluding note, Amitai suggested that governments around the world needed to take more action when it comes to security.
“What I think we are missing as an industry, or as a society is that this problem of digital crime – which is on the rise – is not just for us as security vendors to solve. We’re happy and we’re committed to help organisations protect themselves against crime, but this is essentially the job of governments as well. They should handle that. Governments should provide safety in the digital world as well for organisations. Inter-government organisations should catch the cyber criminals attacking these organisations. And forcing them to have their digital guardian at the entrance of their business. It doesn’t make sense the government would put all their burden on the citizens and the SMEs. They should take responsibility as well, and I hope this will change.”
It is not just organisations that will be affected by vulnerable IoT devices. As they become more and more widespread people will integrate them into their homes, via their appliances or even alarm systems – the problem becomes clear.
It is imperative, therefore, to ensure these devices are visible and have adequate security settings built into them during production – a practice that needs to be adopted by IoT-device manufacturers.
Following Amitai’s steps – discussed in the interview above – organisations can help mitigate the risk posed by the rise of the Internet of Things in the BYOD era.
The UK’s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit byregistering here