Make room! How to manage mobile and IoT devices without getting eaten
While not made of Soylent Green, IT defenses at small to midsize businesses are in danger of being eaten by the rise of the Internet of Things. IoT has benefits, but it also poses security risks to IT systems.
There are many good reasons for your business to adopt the latest and greatest IoT technologies, particularly when they serve and delight customers. Among the perceived IoT benefits are improvements in operational efficiency, customer service, intra-organizational collaboration, strategic decision-making, and profitability. Others cite hardware cost savings, improved employee mobility, greater employee satisfaction, and increased employee productivity. And this isn't (sensor-based) pie-in-the-sky; many businesses are getting real results from IoT.
As such, IHS Markit forecasts that the IoT market will grow from 15.4 billion devices in 2015 to 30.7 billion devices in 2020 and 75.4 billion by 2025.
Serious security concerns
Despite the increase in affordable IoT devices, security for the devices is not keeping up. According to a PWC report, "The IoT is the Wild West of cybersecurity and privacy, an ungoverned frontier without laws and norms. In fact, there is no global agreement as to which entities own the platform and are ultimately responsible for its security."
Businesses worry. In one survey, 73 percent of midmarket companies indicated that they were concerned about IoT security. Devices are at the mercy of their environment, human error, and hackers.
Given the advantages of using the IoT, as well as the security risks, the issue facing IT teams is to manage these devices, not to prevent their use or prohibit IoT initiatives.
Fortunately, there are things you can do to minimize the risks. Up front: Some of these solutions cost money.
"It all comes down to risk vs. reward," says Matt Michalek, CISSP and manager of information security at a midsize financial services firm.
"For example, the risk of theft might be $1 million, but the business upside is $2 million," he says. Business and security teams usually give the pertinent information to executives, and the C-suite makes the final decision on how to respond to risk.
Given the pace of both business and technology innovation, "it's good to revisit these issues as often as necessary to make sure nothing has changed," adds Michalek.
Identifying and minimizing risks is the IT department’s job. Michalek, who's also a retired captain in the Army National Guard, adopted a military approach as he moved to the IT world: defense in depth.
A defense in depth strategy (DID) has multiple layers of security. Each takes into account the worst-case scenario. For example, if hackers break through the firewall, network monitoring may catch them before they do much damage or steal data. This approach is much more secure than depending on a single layer of security.
The weakest link is people
The first layer of Michalek’s DID strategy is an HR policy that ensures each employee knows which IoT or personal devices are allowed and the repercussions for violating the policy. "The human element is always the weakest link in information security," he says.
This policy can never cover employees with malicious intent, but it does take care of those who might use forbidden devices because they're unaware of security vulnerabilities.
The next level in Michalek's DID strategy is internal IT team processes. "I need to make sure the staff is aware of the threats. They need to know what to look for, including the types of devices they may come across in the course of their day."
Choosing technology controls
IoT preventative measures include several types of technology, such as monitoring, detecting, and taking action, says Michalek.
Start with physical control. At its simplest, that means controlling who can touch the hardware. Every network port is locked down until IT enables something to be plugged in. When a device is plugged in, IT can detect a device signature and, if it's not recognized, shut it down or sound an alarm.
Next, consider what is permitted to connect to the network and the nature of the data that travels across it. Michalek allows certain devices to connect, and the rest are locked out. This is done at both the physical level (what can be plugged into the wall) and the logical level (Wi-Fi devices). Traffic monitoring triggers an alert if it detects something odd. Large companies may have 20 people to keep an eye on things, but SMBs do not have extensive resources. Instead, smaller businesses need to be smart about how to monitor everything that's going on.
The key, says Michalek, is setting baselines. To do so, get an idea of normal traffic, how internal applications and users look, and then look for things to pop up. "For example, one employee may be browsing Russian websites," says Michalek, "It might not be anything; maybe the guy's from Russia. But you need to look into it."
A simplified example of DID in action: a laptop with a camera and an IoT camera look similar, traffic-wise. However, while the IoT device may pass the traffic monitoring layer, the device-signature monitoring layer catches it and bumps it off the network.
Finally, Michalek's team can take action remotely to kick devices on the "not allowed" list off the network. For example, if a bad device is plugged in, the network port it's using can be deactivated.
"The IoT is by itself not a bad thing, but it's often done haphazardly," says Michalek. Because it's so easy and cheap to get IoT devices, people do not think about security. Defense in depth covers these lapses and keeps your systems from being eaten.”
IoT security: Lessons for leaders
- IoT brings both risks and rewards, between which the decision to allow or forbid the devices must be made.
- A defense in depth strategy includes multiple layers of security, each of which provides a way to protect a company's system.
- IoT security measures include both physical and logical systems, each of which use a number of technologies to reduce risk.