There’s no doubt that the Internet of Things (IoT) is going to change how consumers view the security of their electronic devices. No more will security and privacy risks be limited to personal, Internet-connected and home-networked computers.
Consider news that broke recently about a breach on a toymaker’s website and the resulting leak of personal data for 4.8 million users. (That news was well covered in this story, When children are breached—inside the massive VTech hack, if this is the first you’ve heard of it.) There have been plenty of other examples in recent months, from home security systems to automobiles proving vulnerable to exploitation.
These vulnerabilities will soon start to be a real headache for enterprise information security, as corporate IT teams are increasingly asked to protect building HAVC systems and manage connected car and truck fleets, warehouse devices, robots and virtually anything else one can imagine.
With all of these new devices being networked and connected to enterprise systems, they will soon have to be protected from the familiar litany of attacks: data breaches, attacks on availability, snooping, data manipulation and more.
Here are a number of important ways IoT security will change enterprises:
The IoT increases the enterprise attack surface.
Gartner estimates that there are now over 1.6 billion business-connected IoT devices. That number is expected to jump to well over 8 billion by 2020. With so many connected devices expected to be online in coming years, organizations are going to need to find ways to identify, inventory, prioritize (by business value) and protect devices and the data they generate.
The IoT presents privacy and confidentiality challenges.
All of these devices will generate considerable amounts of data everyday. Not only will this data be travelling the networks, it will also need to be stored, increasing the amount of network connections and stored data that will need to be protected. This data is also going to create new privacy and confidentiality challenges. Enterprises need to consider how they are going to design their privacy policies to meet the need.
The IoT creates new availability challenges.
When denial-of-service attacks hit Web applications, backend servers or networks, business stops. When such attacks hit IoT devices, the physical world may stop or be altered or damaged.
As threats target connected IoT devices, enterprises will face new urgencies to protect systems. It will be increasingly important that IoT data and applications be always available, especially when dealing with company fleets, warehouse or factory machinery, telematics coming in from the field and anything else that it critical to running a business.
The IoT poses new systems management challenges.
Managing traditional networks and servers has always been a challenge, but with billions of IoT devices coming online, these challenges are certainly going to new levels.
So what can organizations do? The first thing is to prepare and develop a plan to deal with IoT security and the very real potential for massive device sprawl and costs associated with poor security controls. Secondly, take inventory of all of the IoT devices within the organization now. Make sure new devices are being monitored and added to the inventory.
For existing IoT connections, it’s important that traffic be monitored for anomalous activity and that devices receive security and performance updates as needed. Finally, organizations need to look at the systems they have now or will soon have, and make sure proper polices are in place for management, security and privacy.
While the IoT is in its early days, it’s crucial to get management right now, while the device numbers are relatively low, as are the stakes. In the near future — with device numbers and data growing — the risks will be much higher very soon.