Sergey Nivens - Fotolia
With a number of never-before-seen BYOD/IoT devices entering enterprise networks, how should security programs deal with onboarding those devices?
Plainly and simply, if information security professionals are going to do something about the risks that bring your own devices (BYOD) and Internet of Things (IoT) devices introduce, they're going to have to find out what the risks are to begin with.
A lot of people I've heard and spoken with don't believe BYOD and IoT devices are a huge deal. In fact, many -- mostly executives that think they know more about security than you do -- will proudly and assertively proclaim these devices have nothing of value on them, and/or they don't use these devices in ways that create business risks. In addition, many people believe that because they are "compliant," then they are secure.
That said, I'd venture to guess that most people working in IT understand that if a device has an IP address, a URL or an on-off switch, then it's fair game for attack. Even if a coffee maker in the corporate break room or a physical security alarm system, for example, doesn't store customer information or intellectual property, you still have to consider how else it can be introducing risks -- i.e., weak network communication methods, lack of authentication and access controls, susceptibility to denial-of-service attacks and the like. Such vulnerabilities could be two or three "hops" removed from the enterprise network, but you have to determine how they can potentially be exploited. There's also a strong BYOD and IoT tie-in with security policies, business continuity and incident response; you have to be prepared.
That said, proper processes for device onboarding are critical to securing BYOD and IoT devices. Penetration testing and technical security reviews are the best way to find out how these mobile or otherwise non-traditional computing devices are creating risks (i.e. missing patches, open Web interfaces and weak authentication mechanisms) in your organization, so start there.
Much of information security is a mind game -- real-world human psychology. The trick to understanding this human side of security is to learn as much as you can about it and -- if you're able to master it -- the technical pieces will fall into place. Here's a piece I wrote on how to get your security messages across to management and another on selling the value of security to management for further reading.
Ask the Expert!
Want to ask Kevin Beaver a question about network security? Submit your questions now via email! (All questions are anonymous.)
Learn how onboarding tools are emerging as essential for employee retention and performance.
Dig Deeper on Internet of Things (IoT) Security Strategy
Related Q&A from Kevin Beaver
While most mobile platforms provide levels of security from mobile cryptojacking, IT must still be aware of the risks and procedures to address an ... Continue Reading
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.