Gartner predicts that 25 billion Internet-connected devices will be in use by 2020 -- a figure CIOs are finding...
difficult to ignore. A survey of 700 IT decision makers by security vendor Tripwire revealed that 67% of them say that despite the potential risks of the Internet of Things (IoT), they will adopt it for efficiency reasons.
And there are risks aplenty. The presence of smart devices connected to the Internet and to your network means a whole new range of security risks and challenges. For starters? A lack of industry standards and technology architecture around the IoT, making it difficult to create security policies around them; some even argue that the IoT is impossible to secure.
In this #CIOChat, SearchCIO expert and former CIO Harvey Koeppel joins other tweet chatters to discuss formidable IoT security challenges and the ways companies can tackle them.
What should companies be doing to mitigate IoT security risks?
IoT devices, like other touchpoints, must fit within your organization's security strategy as a whole to prevent all-too-common data leakages and other privacy issues. This means coming up with a strong governance framework for these devices so that they meet security standards:
As Koeppel hinted at, IoT devices will require a new type of architecture, a tall order because they produce such a huge amount of data, and at the same time require that data to be processed for analytical purposes very quickly. One way to architect around the data-processing loads of the IoT, according to Nik Rouda, analyst at Enterprise Strategy Group, is aggregating and processing that data at the edge of the network. But edge computing brings with it new security challenges. "Data will also need to be encrypted at the edge," he said.
One huge hurdle to creating a security policy around IoT is that it lacks security standards. And even once those standards develop, Features Writer Kristen Lee points out that at best, organizations will be able to mitigate risks, not prevent them altogether:
A2 - It is imperative 2 include security early in design stage of IoT system. Retrospective implementation is unreal in IoT world. #CIOChat— Ales Teska (@alesteska) January 28, 2015
And they're not alone in that opinion. An agency as high up in the U.S. government as the Federal Trade Commission sees the value in what it calls "security by design." In a 71-page report it published last month, the FTC encouraged vendors of smart devices to follow security best practices when they design their products, including monitoring them through the course of their lifecycles.
As discussed earlier, your organization likely doesn't yet have an IoT-specific security policy in place, so where to start? With those existing security policies that already cover other aspects of your network, said some tweet chatters:
"You won't have to start from scratch," security consultant Kevin Beaver agrees. "The important thing is to ensure that the Internet of Things falls within the scope of each of these policies where necessary," he said.
Soon enough, organizations will need to develop new or updated policies around IoT that cover network segmentation, provisioning, access control and more, tweet chatters pointed out:
As Koeppel tweeted, organizations should look to industry vendors, which are already working to further secure their products with firewalls, authentication and access controls, and more, for threat intelligence in order to reduce the time they detect and mitigate threats. Companies should also collaborate with other IoT-implementing companies and share this information with each other.
But designing a secure IoT architecture doesn't just involve IoT vendors, new techniques and security procedures. Employees play a large role as well -- a recurring theme in prior tweet chats:
A2. Be proactive about security and investigate LoB use cases. Educate users. Avoid the "head in the sand" mindset #CIOChat— rajiv gupta (@trustedmind) January 28, 2015
A2: Effectively securing connected systems, requires users understanding their systems' threats & vulnerabilities to those threats. #ciochat— Eric Klein (@eakleiner) January 28, 2015
As tweeters emphasized, it's one thing to incorporate the IoT into your security policies and implement up-to-date security tools; it's quite another to familiarize employees with the risks that come with using IoT devices, as well as with security best practices such as using strong passwords and purchasing devices with security already built in.
Is IoT worth the risks?
The security and privacy issues around connected devices that continued to pop up throughout the chat caused some tweet jammers to pause and wonder: Are they really worth the risks to your enterprise?
As follower Amrit DePaulo brought up above, specific smart devices solve specific problems. Another question to ask before bringing an IoT device into your network, said Chris Kuntz of ThingWorx, is whether it ultimately solves a problem for the end user instead of functioning as a broadcast channel that notifies you there is a problem.
How about you? Do you think IoT is worth the security challenges? Let us know in the comments section below.
Get Harvey Koeppel's take on how CIOs can prepare for the Internet of Things. Then, see how IDC analyst Vernon Turner advises CIOs to handle the deluge of IoT data.