The Internet of Things (IoT) has become entrenched into every aspect of the modern pace of life. Learn how to incorporate cybersecurity into your IoT strategy from the beginning.
The Internet of Things, a broadly distributed, intelligent, autonomous network of smart devices, is already being rolled out all over the world, and with it come security concerns for every business network. Eventually expected to hit more than 25 billion objects by 2020, these devices can be as bulky as a soda vending machine or as innocuous as a smartwatch.
Computer security has lagged innovation in the industry for years. First through primitive floppy drives and then increasingly via the internet, as more and more machines were brought online, viruses and malware have cut through operating systems and productivity software almost without effort. No comprehensive defenses have ever emerged, and slapdash protection like antivirus scanners lag the threats by design.
Nonetheless, the patched-together defenses have been sufficient to allow the modern internet to function and even prosper with only a steady drip of breaches… albeit breaches costing approximately $6 trillion each year. With an average cost of $2.4 million and a time to recover of 50 days according to industry consultancy Accenture, businesses have been taking hits but making enough money in the process to write them off as just another cost of doing business.
But the advent of the IoT is likely to change that equation dramatically, and for the worse. While businesses today spend around $93 billion in cybersecurity services, the rapid explosion in both the number of devices to be secured and the difficulty of securing their proprietary and possibly unsupported operating systems will skyrocket.
To control those costs, it is imperative for businesses to develop strong, proactive strategies for securing their networks for the Internet of Things.
Recently, the Department of Homeland Security released a guide to strategic principles for companies to follow in this effort. The six steps are ones that every business and IT manager should know.
Incorporate Security at the Design Phase
Both the design of IoT devices and networks that will be supporting them will have to be carefully built from the ground up for security. Unlike today’s LANs and WANs, security cannot simply be an afterthought. Network-level security by default is the best practice, using explicit permissions for protocols and devices sending packets instead of the common default-permit procedures usually allowed on today’s networks.
Building networks tolerant of disruption and compromise is also important. Redundancy and segmentation capabilities can rapidly seal off compromised devices or network segments, allowing company business to proceed unmolested in other parts of the organization.
Advance Security Updates and Vulnerability Management
Some 80 percent of malicious attacks are conducted against security vulnerabilities that have already been found and fixed by the original vendors. Patch management is a chronic problem in today’s networks and it will only get worse with millions of more devices flooding corporate systems.
The brunt of this problem will fall on vendors themselves, but companies can assist them by selecting devices with strong patching support and moving aggressively to eliminate out-dated or unsupported IoT peripherals.
Build on Proven Security Practices
Although the IoT will undoubtedly lead to a sea change in corporate information security practices, the rest of the internet and its attendant weaknesses will not simply disappear. Current best practices are still important and can, in fact, mitigate many potential IoT vulnerabilities along with the more traditional holes they are designed to cover.
A solid, in-depth defense strategy that does not put all your security eggs in one basket is something every company should already have. Businesses that already use this technique are miles ahead when it comes to being prepared for their IoT roll-out.
Prioritize Security Measures According to Potential Impact
Risk models in the IoT may not conform to current ideas for structuring network security. IoT devices will cover the gamut from welding robots to coffee machines. Each of these is likely to have different intended uses and network environments and will come from the factory built with that use in mind.
But if there is anything that today’s internet has taught us, it is that users find their own applications for devices. IT departments will have to prioritize their security strategy to deal with unintended uses and to aggressively identify new devices on networks.
Promote Transparency Across IoT
Identifying and managing devices generally requires a new and powerful kind of transparency. Corporate networks that are managed piece-meal without network monitoring systems that cut across departmental boundaries will be especially vulnerable to insidious IoT breaches.
This transparency also has to include vendors, who will need to promote better customer awareness of device capabilities and vulnerabilities. Businesses buying IoT products will need to insist on a far greater amount of information about what they are plugging into their networks than is common today.
Connect Carefully and Deliberately
That leads to the final point, which is that IoT rollouts should be conducted carefully and deliberately. Only after engaging every other step in the strategic blueprint should IoT networks be brought online, and then only with close monitoring. Selective connectivity should be the rule of the day, even when this means preventing users from bringing in their own systems.
As DHS points out in their guide, mitigation in this area is a constantly evolving, shared responsibility. Businesses will have to learn to work more closely than ever with vendors of IoT devices, and those vendors will have to provide better support for longer periods more effectively than ever before if they hope to remain players in the market.
Like today’s internet, though, the IoT has the potential to entirely remake commerce and the daily life of every human being on the planet, and the economic benefits of ensuring security will pay huge dividends on the investment.