In March of 2019, the Internet of Things Cybersecurity Improvement Act of 2019 was introduced to the Senate. Its supporters recognize the potential risk of IoT when it is deployed without adequate security.
IoT has been singled out by the Defense Intelligence Agency as a threat to national security. That’s according to its director, Lt. Gen. Robert Ashley. But it’s not just government departments that need to take the threat seriously; the act contains sensible talking points for businesses of all sizes.
High level considerations
Any organization of government department that implements IoT needs to consider two things.
First, the organization needs to ensure that the devices it deploys are appropriately configured, and that configuration needs to be checked routinely. This should be part of a holistic approach across the organization.
For example, no device should ever be connected to a network with the default password as set by the manufacturer. And employees should not be making siloed decisions about the devices that they want to implement in their department.
Second, the organization needs to set aside the appropriate resources to manage these IoT devices indefinitely, and with due care and consideration to the security challenges they pose. That doesn’t just mean the cost of resolving connectivity or hardware problems or setting up automated network monitoring.
Every single IoT device needs to be routinely maintained on a regular basis, with the appropriate software patches and manufacturer updates applied as soon as they are available. Any devices that cannot be updated, or which fall behind their update schedule for any other reason, should be taken offline lest they post an unacceptable risk.
The risks are real
Network devices are routinely compromised to spread malware, coin mining scripts or ransomware on corporate networks. All of these threats have a devastating impact on organizations, consumers and clients.
The cost of fines, ransom payments and lost productivity can quickly spiral, and the sheer volume of connected devices in an IoT deployment amplifies the risk. That’s precisely why IoT should not be considered to be a “set and forget” technology in any business, even if the risks are assumed to be low.
Just as a poorly secured network can be a honeypot for hackers, IoT can offer mischief-makers and criminals a valuable backdoor into a corporate network, and it should be treated with the appropriate care. Any device capable of sending and receiving data falls into this category.
Perhaps the easiest first step toward safe deployment of IoT is adequate training. Internet of Things World 2019’s research: “What’s Keeping IoT Executives Up At Night 2019,” found that decision makers in IoT are already looking at the most appropriate ways to upskill employees, with 46% looking to roll out training programs to their entire workforce.
Across the organization, the right security processes are important too. Updating firmware, and using appropriately strong passwords, are fairly pedestrian measures that should be familiar to savvy employees already. Paying attention to these routine tasks can make the difference between a secure IoT deployment and a highly vulnerable one.
Using a dedicated network can also ensure that IoT devices do not provide gateway access to other areas of the business if they are compromised. And data encryption is also key; technical staff are taking much more care over the type of encryption used and the proper storage of encryption keys.
In basic terms, an IoT device should be no riskier than any other type of connected device. However, we tend to think of IoT devices as self-managing — almost like a router if you will. That said, today’s connected devices are becoming increasingly complex requiring a high level of attention to detail. Organizations need to ensure that appropriate resources are in place so that devices are always appropriately configured, maintained and updated on a regular basis.
Lawmakers have recognized that the government needs to take care when procuring IoT in the future. Businesses must also take heed of the challenges they face. For this reason, IoT security has been highlighted as a key theme at Internet of Things World 2019 in Santa Clara this May.
Zach Butler is the director of IoT World. Internet of Things World is North America’s largest IoT event, bringing together the top technologies, strategies, and case studies for the key industries implementing IoT.