How to approach IoT security challenges and mitigate risks

What should companies be doing to mitigate IoT security risks?

IoT devices, like other touchpoints, must fit within your organization's security strategy as a whole to prevent all-too-common data leakages and other privacy issues. This means coming up with a strong governance framework for these devices so that they meet security standards:

@searchCIO #CIOChat A2 Need new architecture and governance models for security. Also, proactively plan network/infrastructure upgrades

— hrkoeppel (@hrkoeppel) January 28, 2015

Even in financial services and the street there are heavy talks underway for better #data-governance #iot #CIOChat

— Neal Conlon (@DisruptivePM) January 28, 2015

As Koeppel hinted at, IoT devices will require a new type of architecture, a tall order because they produce such a huge amount of data, and at the same time require that data to be processed for analytical purposes very quickly. One way to architect around the data-processing loads of the IoT, according to Nik Rouda, analyst at Enterprise Strategy Group, is aggregating and processing that data at the edge of the network. But edge computing brings with it new security challenges. "Data will also need to be encrypted at the edge," he said.

One huge hurdle to creating a security policy around IoT is that it lacks security standards. And even once those standards develop, Features Writer Kristen Lee points out that at best, organizations will be able to mitigate risks, not prevent them altogether:

A2 physical device security, data & network security, & incident monitoring & response. But some say the #IoT is imposs to secure #ciochat

— Kristen Lee (@Kristen_Lee_34) January 28, 2015

The best-case scenario: building in security from the start, tweeted participants Brian Katz and Ales Teska:

A2. Integrate #IoT by starting w a secure framework & building upon that, always harder to bring security in as afterthought #ciochat

— Brian Katz (@bmkatz) January 28, 2015

A2 - It is imperative 2 include security early in design stage of IoT system. Retrospective implementation is unreal in IoT world. #CIOChat

— Ales Teska (@alesteska) January 28, 2015

And they're not alone in that opinion. An agency as high up in the U.S. government as the Federal Trade Commission sees the value in what it calls "security by design." In a 71-page report it published last month, the FTC encouraged vendors of smart devices to follow security best practices when they design their products, including monitoring them through the course of their lifecycles.

As discussed earlier, your organization likely doesn't yet have an IoT-specific security policy in place, so where to start? With those existing security policies that already cover other aspects of your network, said some tweet chatters:

.@searchCIO Apply same sec principles to IoT that are applied to all corp resources & ensure sec & risk r involved prior to deploy #CIOchat

— Amrit DePaulo (@amrittsering) January 28, 2015

A2 - Treat #iot as another data source and incorporate into #security oversight. #ciochat

— Stuart Appley (@sappley) January 28, 2015

"You won't have to start from scratch," security consultant Kevin Beaver agrees. "The important thing is to ensure that the Internet of Things falls within the scope of each of these policies where necessary," he said.

Soon enough, organizations will need to develop new or updated policies around IoT that cover network segmentation, provisioning, access control and more, tweet chatters pointed out:

@chris_rouland #CIOChat A2 good opportunity for industry vertical community collaboration around threat awareness and mitigation

— hrkoeppel (@hrkoeppel) January 28, 2015

@iSocialFanz @sappley @TT_Nicole #CIOChat A2 new techniques, policies, procedures for provisioning/deprovisioning will be key

— hrkoeppel (@hrkoeppel) January 28, 2015

As Koeppel tweeted, organizations should look to industry vendors, which are already working to further secure their products with firewalls, authentication and access controls, and more, for threat intelligence in order to reduce the time they detect and mitigate threats. Companies should also collaborate with other IoT-implementing companies and share this information with each other.

But designing a secure IoT architecture doesn't just involve IoT vendors, new techniques and security procedures. Employees play a large role as well -- a recurring theme in prior tweet chats:

A2. Be proactive about security and investigate LoB use cases. Educate users. Avoid the "head in the sand" mindset #CIOChat

— rajiv gupta (@trustedmind) January 28, 2015

A2: Effectively securing connected systems, requires users understanding their systems' threats & vulnerabilities to those threats. #ciochat

— Eric Klein (@eakleiner) January 28, 2015

#CIOChat a2. Companies should be educating employees & themselves on the IoT techs & their risks, in addition to updating #infosec policies

— Will Lassalle (@wlassalle) January 28, 2015

As tweeters emphasized, it's one thing to incorporate the IoT into your security policies and implement up-to-date security tools; it's quite another to familiarize employees with the risks that come with using IoT devices, as well as with security best practices such as using strong passwords and purchasing devices with security already built in.

Is IoT worth the risks?

The security and privacy issues around connected devices that continued to pop up throughout the chat caused some tweet jammers to pause and wonder: Are they really worth the risks to your enterprise?

@amrittsering @searchCIO is start with asking if whether internet connected blenders solves a fundamental human problem. #no

— Michael Cole (@MCole1008) January 28, 2015

@MCole1008 @searchCIO Intermittently connected, smart devices can solve a myriad of problems, blenders & fridges exclued #CIOchat

— Amrit DePaulo (@amrittsering) January 28, 2015

@MCole1008 @searchCIO For corporate value or solving fundamental human problems? Med devices, smart meters, swarm intelligence #CIOchat

— Amrit DePaulo (@amrittsering) January 28, 2015

@MCole1008 @amrittsering 'Just because we can doesn't mean we should' should be standard discussion point for IoT-anything. #ciochat

— Nicole Laskowski (@TT_Nicole) January 28, 2015

@MCole1008 @searchCIO that same question can be applied to the Internet, BYOD, mobile & cloud-computing, answer is always yes #CIochat

— Amrit DePaulo (@amrittsering) January 28, 2015

As follower Amrit DePaulo brought up above, specific smart devices solve specific problems. Another question to ask before bringing an IoT device into your network, said Chris Kuntz of ThingWorx, is whether it ultimately solves a problem for the end user instead of functioning as a broadcast channel that notifies you there is a problem.

How about you? Do you think IoT is worth the security challenges? Let us know in the comments section below.

This tweet recap is part of our #CIOChat on IoT security, hosted by SearchCIO. For more recaps and further information on our next tweet chat, follow @SearchCIO on Twitter.