Creativeapril - Fotolia
What are enterprises' biggest IoT security challenges?
As the number of IoT devices in the enterprise grows, so do the potential risks. In this #CIOChat, participants identify the biggest IoT security challenges facing IT and the enterprise.
If the offerings at the recent International Consumer Electronics Show (CES) in Las Vegas are any indication, Internet of Things (IoT) technology seems set to shake up the enterprise. While this is good news in terms of business innovation -- with several IoT devices promising advances in efficiency, productivity, analytics and customer relationships -- this rapidly evolving technology also poses serious security challenges that cannot be ignored.
IoT security has even captured the attention of Capitol Hill, with members of U.S. Congress forming a new Congressional Caucus on the Internet of Things to educate members on the security, privacy and regulatory policy concerns around the technology. Congress is mainly focused on the protection of sensitive information streaming to and from connected devices.
With IoT security on everyone's mind, including Congress', and uncertainties surrounding how best to address these concerns, SearchCIO posed the question: What are the biggest IoT security challenges for the enterprise? What followed was a lively discussion among #CIOChat participants, editors and SearchCIO expert Harvey Koeppel on the security risks that come with IoT integration.
The increased potential for unsecured devices and data are a major concern for companies, and, as one participant points out, the security risks grow proportionally with the value of IoT devices:
A1: Unfortunately many and the number, intensity, soph. of hackers seeking to exploit a connected sys. grows w/ its systemic value #ciochat
— Eric Klein (@eakleiner) January 28, 2015
A1 - Biggest #iot security risks are exposing corporate data to outside. Already seeing it the building level. #ciochat
— Stuart Appley (@sappley) January 28, 2015
@searchCIO #CIOChat A1 90% of 25 billion devices are vulnerable! Privacy, Access Authorization, disruption of service are huge risks
— hrkoeppel (@hrkoeppel) January 28, 2015
A1. Comes down to data and lack of control of devices… #IoT opens up a whole new world of shadowIT possibilities! #CIOchat
— Brian Fanzo (@iSocialFanz) January 28, 2015
@TT_Nicole It's about securing the data, not the device, start at that layer and work up, not device and down #CIOchat
— Brian Katz (@bmkatz) January 28, 2015
Since the idea of networking devices and objects is still relatively new, security has not traditionally been considered in product or policy design. But, if companies want to maximize data protection on IoT devices, participants say that security needs to be built-in from inception rather than tacked on at the end:
a1 when implementers don't incorporate #IoT into their security policies or make sure vendors have security in mind #CIOChat
— Fran Sales (@Fran_S_TT) January 28, 2015
@Fran_S_TT #CIOChat A1 Amen to that. Security needs to be baked in from the start - not bolted on at the end...
— hrkoeppel (@hrkoeppel) January 28, 2015
@amrittsering @chris_rouland #CIOChat A1 Keep CISOs and Risk Managers in the loop from the start...
— hrkoeppel (@hrkoeppel) January 28, 2015
Echoing Koeppel's notion of keeping CISOs in the loop, Vernon Turner, senior vice president at market research firm IDC, suggests that CISOs should also collaborate with their peers in order to gain greater insights and situational awareness into areas vulnerable to breaches. IT collaboration and situational awareness were on the minds of #CIOChat-ers as well:
There is so much hidden value in #IoT that it's a good example of needed collaboration between IT and biz groups. #ciochat
— Stuart Appley (@sappley) January 28, 2015
A1-One of the biggest risks of IoT in the Enterprise is complete lack of situational awareness. #ciochat
— Chris Rouland (@chris_rouland) January 28, 2015
@DisruptivePM #CIOChat A1 will definitely need new standards around data masking and better ways to handle encryption
— hrkoeppel (@hrkoeppel) January 28, 2015
One major concern of participants was the ripple effect of unsecured devices on other areas of business and IT, including crucial networks and cloud processes:
#ciochat a1 the biggest IoT security risk to the enterprise is the corresponding cloud to the device and information leaks via that.
— Will Lassalle (@wlassalle) January 28, 2015
.@searchCIO lack of Viz/Control, poor sec coding, poor sec controls,enables the ability to cause harm & or pivot to corp resources #CIOchat
— Amrit DePaulo (@amrittsering) January 28, 2015
A1 poorly secured devices could = launching pnts for attcks eg distributed denial of service actions/ breaches into other networks #ciochat
— Kristen Lee (@Kristen_Lee_34) January 28, 2015
Lessons learned from BYOD
Is it too early to start BYOIoTD? In many ways, policies involving IoT devices are an extension of current BYOD policies, meaning companies don't necessarily have to start from scratch with IoT privacy and security plans. Moreover, the Internet of Things has the potential to influence and shift the BYOD trend by expanding it and making it more complex.
Senior News Writer Nicole Laskowski asked #CIOChat-ers what lessons they have learned from past or present BYOD policies that could be applied to IoT devices, setting off discussion on the management and security challenges of IoT integration:
@iSocialFanz @sappley What might be some lessons learned from BYOD that CIOs can draw from? #ciochat
— Nicole Laskowski (@TT_Nicole) January 28, 2015
@TT_Nicole @iSocialFanz @sappley there is no way to be secure in a byod model and it's false to think you can.
— Neal Conlon (@DisruptivePM) January 28, 2015
@TT_Nicole @sappley saying NO to everything just cause doesn't work. Saying yes but setting & updating standards & best practices #CIOChat
— Brian Fanzo (@iSocialFanz) January 28, 2015
The "no" attitude of some businesses comes from the fact that these BYOD policies are certain to make "profound changes not just to their technologies, but the very culture and operating model of their enterprise," according to SearchCIO expert Harvey Koeppel. This change is daunting for some companies, making them more reluctant to adopt the most forward-thinking policies. Several #CIOChat-ers agreed that successful IoT policies require a more accommodating outlook toward outside devices and a willingness to adapt:
@sappley @iSocialFanz @TT_Nicole a nudge towards a secure alt goes much further than a flat out no or block #ciochat
— rajiv gupta (@trustedmind) January 28, 2015
@sappley @iSocialFanz @TT_Nicole #CIOChat - need to change CIO and IT depth perception from Dept of NO to here's how...
— hrkoeppel (@hrkoeppel) January 28, 2015
The human element of BYOD security is another factor that can affect present and future IoT security policies. Whether knowingly or not, employees can be responsible for data breaches within their own companies, making it important to educate them on security best practices, participants said:
@trustedmind @TT_Nicole @sappley Yes but I believe if we teach best practices & explain why employees on avg will do what's best! #CIOchat
— Brian Fanzo (@iSocialFanz)
January 28, 2015
@iSocialFanz @trustedmind @TT_Nicole @sappley Most breaches come from insider threats! #ciochat
— Bastille (@bastillenet)
January 28, 2015
@sappley @bastillenet @trustedmind @TT_Nicole Yes without a doubt insider threat is the #1 those that do it on purpose & accident! #CIOChat
— Brian Fanzo (@iSocialFanz)
January 28, 2015
On a lighter note, one participant pictured an alarming future of IoT security hacks:
Imagine a world where an eastern european hacker can burn your toast, make your morning coffee cold, or worse #CIOchat
— Amrit DePaulo (@amrittsering)
January 28, 2015
While this portrayal of future IoT perils may be hyperbolic, the growing presence of IoT devices and objects does open up a whole new world of security dangers. Do you think these IoT security challenges can be conquered? Sound off in the comments section below.
