Don't let the IoT spell D-O-O-M for your data

Organisations must leverage the competitive advantage of the IoT, while facing up to the risks it brings.

The term ‘Internet of Things', or IoT, refers to the growing trend in the IT industry of connecting everything to the internet. Home security systems, thermostats, webcams, automobiles, TVs, refrigerators, medical devices and practically anything else you can think of that could benefit from remote monitoring or be used to interact with other systems will soon be connected.

These billions of devices represent potential targets and potential vectors for attacking other systems, including your corporate IT resources. Taking a wait-and-see attitude is only going to guarantee you problems in the future. Here are some of the things you need to be working on now.

A two-fold threat

The IoT threat is two-fold: target and vector. IoT devices can be targeted for compromise as they may provide access to critical data but can also be low-hanging fruit for those with mayhem on their minds.

But since many IoT devices may have access to corporate systems, they may be targets only so that they can be leveraged to attack other systems, including your network.

Some defences are distinct to each kind of threat, but many are common to both and, in fact, involve great focus on current network and endpoint security best practices. There are some things that you can do right now to get in front of these threats.

Addressing the threats

Admit you have could have a problem. Admitting a problem exists is the first step towards solving it. One of the worst approaches to new trends in technology is not to acknowledge that at some point, no matter how far in the future, you could have a problem if you’re caught unawares.

Planning for IoT doesn’t need to be a year-long project but taking a look now into how it may impact your business in the future will save you trouble and time.

Change your workplace connectivity policies. If you have policies on personal device use in the business, now is the time to brush the dust off and get them updated. BYOD is the forerunner of IoT. If you haven’t done anything about BYOD, it’s time you did.

Ensure you have policies in place regarding acceptable use, expectations for patch management and system hardening, and comingling of personal and corporate data. Cover physical security and encryption, and ensure that the policy makes it clear that BYOD is a privilege, not a right, and as such it can be revoked.

Harden firewalls. This is an area that 45% (GFI Software, 2014) of IT pros see as a major priority in their business. Hardening firewalls may include replacing them, as simple packet-filtering devices are not enough. Organisations will need application-aware firewalls or proxies to help securely publish access to applications and data, and that can detect inappropriate or anomalous behaviour and respond, not just alert.

Maximise tools that you have. Don’t skimp on security. A recent study conducted by the Aberdeen Group put the average cost of a single application security incident at $300,000. An ounce of prevention is worth a pound of cure, and a few extra dollars spent now on security could save you significantly in the future.

If you need to shore up your defences then do so using whatever tools or processes you need. Security software is important, but you should also look at patch and vulnerability management. Patch management will be a big thing with the Internet of Things - now’s the time to start practising.

Look for new tools. Your current security vendors can help in two ways. First they can advise you on how best to configure their existing products to adapt to IoT. And both your existing vendors and new ones can detail specific new ways they support IoT. If you are adding IoT tools or apps, make sure the vendor/partner you choose has a good security story.

Secure your applications: Many IoT devices will provide telemetry data to back-end systems. Others will provide web browser access to line-of-business applications or may stream data from back-end systems for entertainment and education. Ensuring that data access is authenticated properly and that any uploads are sanitised and normalised before being processed is nothing new; corporations do it all the time when working with clients using web browsers.

You may simply need to increase your capacity to accommodate the additional client traffic. But if you are not yet securely publishing access to data and applications, it’s time you started.

The IoT will transform business security, as even standard employee devices could present an opportunity for exploitation and pose a real danger to organisations if they are connected to the internet without proper security protections. With billions of devices poised to connect to the internet, organisations are exposed to billions of insecure new endpoints that can compromise the network.

The key takeaway is clear: IT organisations must plan effectively to ensure adequate operating system, firmware and patch support within the new IoT age and secure methods of providing IoT clients with access to core data and applications.

The organisations that face these challenges head on and are prepared to leverage IoT will have the competitive advantage over those that do not. In which group do you want to be?

David Kelleher is Director of Communications at GFI Software

Image courtesy Marcus Brown under CC