The upheaval of 2020 included the unplanned shift to full-time remote work for millions of people around the world. This transformation opened the door for consumer IoT devices and systems in the home to encroach upon the technological security perimeter of many businesses and organizations.
Interrelated computing devices, connected mechanical and digital machines, and people transfer data over a network without human interaction, and that’s not going away. Does your business know how to protect its IoT devices from compromise?
Many business leaders assume IoT is secure by design, but that’s not the case. IoT is different from most other technology because it’s always on, always listening. Most importantly, IoT’s connection to the internet facilitates being hacked at some point. To shield your organization, a thorough safety and security review of IoT devices is necessary.
It’s critical to realize that IoT security isn’t just the concern of those focused on technology; it must be prioritized by everyone at all organizations.
Business leaders looking to create a culture of IoT safety can follow a few best practices to achieve the internal security alignment that these ubiquitous devices demand. It’s all right if you’re not sure where to begin: IoT moves so fast that it’s impossible to build anti-virus software to block its threats. There also isn’t enough information available, even for security pros. Regardless, here are pragmatic ways to get started now.
IoT security best practices
Ensure organizational oversight of all IoT devices. It is paramount that organizations understand the risk associated with IoT devices and determine who within the organization — whether OT, IT or both — is responsible for security and oversight. Ultimately, for whomever oversees IoT security, it is critical to create and foster a holistic security posture that is part of the organizational culture. The security perimeter is no longer just your building and network; employees are bringing consumer IoT into the business realm, particularly because so many people have been working remotely for the past year and a half.
Put a plan in place to prepare for or address the top 10 security issues. Core IoT testing should be based on internationally recognized criteria, such as the Open Web Application Security Project list of the top 10 most critical security risks to IoT devices. This list helps developers, manufacturers, businesses and consumers better understand the security issues associated with IoT and helps users in any context make better security decisions when building, deploying or assessing IoT technologies.
Do you know in which order these threats rank for your organization, or where you have the most vulnerabilities?
- Weak, guessable, or hardcoded passwords
- Insecure network services or protocols
- Insecure access interfaces
- Use of insecure or outdated components
- Lack of secure update mechanism
- Insufficient privacy protection
- Insecure data transfer and storage
- Lack of physical hardening
- Insufficient security configurability
- Lack of device management
As emerging U.K. government regulation of IoT shows, sorted out and secure passwords, vulnerabilities disclosure and informed software support can mitigate the risk your organization faces.
Map and understand your environment. If you aren’t using technology to map and understand your network, now is the time to start. You’ll be shocked to discover what’s in your environment if you’re not already using some type of technology to determine the elements and influences.
Undergoing an evaluation of the current status of your IoT security and insisting on certified products and standards is ideal to protect your business. Get started with comprehensive training if you can’t immediately afford an outside audit and a migration to certified products.
It’s also key to get the right teams in place, both on the IT and the security fronts, as well as for OT. With that accomplished, your organization may find that many of the most effective IoT security controls aren’t overly complex to put in place or execute.
Understand that an IoT device is never fully secure. In recognizing this, ensure the product is used for its intended purpose and has the appropriate safety controls in place. With the advances and benefits of digital transformation come the daunting mandate to ensure your organization has installed all possible safeguards.
Organizations must use trusted frameworks and industry standards, such as ISO/IEC 30141:2018 for industry best practices, NIST 8259 from the US National Institute of Standards and Technology for device manufacturers or the Open Web Application Security Project’s Application Security Verification Standard for testing Web application security controls.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.