Enterprise cybersecurity must scale up to match the IoT

The IoT is misunderstood. We may hear stories of smart devices being hacked in the home, or read news reports which condemn the poor security of a particular consumer product like smart doorbells. But in truth, IoT device vulnerability is pervasive. Right now, there are likely to be unencrypted or poorly-secured devices in our homes, but also in our children’s schools, our enterprises and our governments’ offices.

Cyber attacks on enterprise IoT networks are at a different level of danger when compared to home hacks. When critical infrastructure, such as connected devices found in manufacturing or healthcare, is hacked, the results can be devastating for personal safety, jobs, and even lives. 

Now, as the IoT grows exponentially to billions of devices, protecting each and every endpoint seems like an impossible job.

The swift pace of IoT has created an issue of scale “where the size of the environment of endpoints, data, and threats is making the job of the CIO and CISO unmanageable,” as Frost and Sullivan analysts put it. But there are ways security teams can manage this huge threat. The key is to be aware of the nature of the threat, and follow the fundamental steps to scaling up cybersecurity.

The threat surface is rapidly expanding

The threats due to enterprise IoT are significant and should not be underestimated. These connected devices generate an enormous amount of highly detailed data. Should this data be stolen or disrupted, the results could be highly destructive to business reputation and operational availability. Also, the data within supply chains that detail operational demands, production data and more will always have value to competitors.

IoT security is a challenge across verticals. According to Frost and Sullivan, the factory and industrial automation market will have nearly 10.8 million connected devices by 2025, while building automation will reach 30 million. Other verticals expecting substantial growth, according to the report, include connected cars and telematics, retail, healthcare and medical devices, and enterprise-issued and bring your own (BYO) devices.

“This will substantially increase the threat surface, which is reflected in the rapidly expanding threat landscape,” the firm wrote in their report. The total number of devices include recognisable endpoints, such as phones and tablets, as well as devices across nearly every other industry.

Of course, with these device deployments, there is great opportunity to improve operational efficiency, improve the lifecycle management of capital assets, provide real-time insight into the enterprise happenings, and engage with customers in new ways. But the security concerns are also real. The challenge is to manage the security risks so that these benefits can be realised, and the risks minimised.

It’s possible to regain control of all endpoints

There are a number of steps that can be taken to ensure adequate IoT security. One step every organisation can take right away is to procure devices from manufacturers that develop their products with security in mind – baking security in from the ground up, rather than bolting it on afterwards. As part of that effort, organisations should make sure to have their security teams test any new hardware and software for security flaws and ensure the devices can be managed just like other endpoints.

Effective IoT security is complicated not only by flaws in procured devices. It’s also influenced by how different business departments independently choose to manage and secure their IoT devices. All organisations must be aware of this, and should prepare to effectively track, secure, and manage all newly connected devices across the enterprise in a uniform way.

One of the most important strategies to success will be not treating IoT devices as a discrete security challenge, but as part of the organisation’s overall endpoint security strategy. If security teams are to have the visibility and control they need, endpoint and IoT security management must be unified. That includes devices that run any operating system, such as Android, Chrome, Windows, and macOS. With fewer consoles, or ideally a single console, when managing all endpoints, security teams will have all the information they need to properly identify security threats and respond to potential breaches, and to more intelligently defend systems and data.

Enterprises can’t afford to wait long to centralise their IoT and endpoint security. The longer they wait, the harder it’s going to be to successfully consolidate, especially as IoT deployments accelerate and there are ever more devices on networks, for example, as a result of the explosion of remote working caused by the recent COVID-19 pandemic. Without a centralised console, decentralised information about security events – including attacks across domains – will be lost or overlooked, and teams will be forced to try to manually piece together their responses.

Spot the signs when procuring enterprise IoT systems

Security teams must be alert to five key attributes when buying IoT devices from providers, to ensure maximum endpoint security:

· Centralised management of users, data files, apps and devices

· Alignment and compatibility with the most popular endpoint operating systems

· The ability to control the security configurations of access credentials, passwords and more

· Pattern tracking and analysis, to spot anomalies that could indicate crime

· Flexibility for deployment across cloud and on-premise environments

The CIO and CISO roles can survive the IoT. But organisations must be proactive in defending themselves against IoT threats. By exercising vigilance and deploying intuitive technologies, enterprises can scale their security efforts to match the expansive IoT.

Nigel Thompson, is VP Product Marketing at BlackBerry