It’s clear that the Internet of Things (IoT) offers both vast new capabilities and significant threats. When IoT security is discussed, the conversation tends to focus on smart refrigerators, cars, watches and other consumer devices. The blind spot seems to be the less glamorous devices like valve sensors and webcams. The massive Mirai botnet army, which hijacked thousands of printers and other connected devices to take down almost a third of the world’s websites, was a wake-up call to take a closer look at the vulnerabilities within connected things.
Connected sensors and IoT devices in manufacturing, healthcare, transportation and utility settings have been adopted faster than security measures have kept up. That means a broad swath of the global economy’s critical infrastructure is increasingly vulnerable to these attacks.
Confusion abounds as to the extent of the threat that the IoT poses and what can be done about them. As a result, many are holding off on implementing connected technologies. Forrester predicts that security concerns will choke the growth of IoT adoption in 2017.
The fact remains, though, that the IoT is here to stay, and it holds the potential to deliver significant business benefits. Choosing and deploying a secure IoT solution lets you gain valuable new business insights and efficiencies while protecting you data and infrastructure assets.
Security sold separately?
IoT purchasing decisions must consider the level of security that manufacturers have built into their products. While it is (relatively) easy to design and ship an IP camera, for example, the ease with which one can be hacked using factory settings makes installing one an unacceptable risk factor to the network – and your organization.
Legislative bodies are taking the IoT threat seriously – and taking action. In January, the Federal Trade Commission (FTC) filed a complaint against router giant D-Link, charging that the company had deceived users on the security of its products and failed to take steps to secure those products appropriately. This case has become a bellwether because the complaint was brought in response to the vulnerabilities themselves, not because of a breach exploiting those vulnerabilities. This is a sign that regulators are taking a more aggressive stance in demanding that connected device manufacturers take clear and sufficient steps in securing their products. That’s welcome news for buyers.
Four steps to start with
Below are several beginning steps toward building greater IoT security into your business.
- Demand devices with unique credentials: Don’t make the same mistake that so many others have, and plug in connected devices with factory settings. Require that each device have a unique password from the manufacturer, printed on a sticker that’s included on the device itself. This significantly reduces the chances of compromise.
- Move beyond Wi-Fi: Wi-Fi is useful for smaller, fast deployments. But for wide-scale installations in specialized vertical network environments, like manufacturing or healthcare, consider using one of the many specialized communications protocols that are available to your engineers. Do all functions need to be performed on the device or can some be punted back to the network? Minimizing the need for the device to perform all functions and be connected to all traffic all the time can also reduce its threat exposure.
- Use open source wisely: For IoT startups looking to get product to market quickly, Open source IoT software is an easy, cheap and flexible option. Yet security flaws can be exploited rapidly, and patches are often slow in coming. IT team therefore should be aware of the risks in using technologies that are based on open source code.
- Hire and train the right talent: When it comes to the IoT, clarifying terms is quite helpful. A job ad asking for an IoT professional may attract 10 people with 10 different backgrounds. Think instead about what your company does with connected devices and the specific skills it needs to manage and deploy those applications, systems and devices securely. Looking for and training people with IoT certifications is a way to validate those skills.
A more secure future
The world has become hyper-connected, and bowing out of the IoT is not a viable business option. But neither is charging ahead whole-hog without a clear and comprehensive security strategy. Use the steps above to begin the process of securing your network and the devices connected to it. With the right people, processes and products in place, you are creating a secure foundation for your organization’s future.