According to Gartner by 2020, one-third of successful attacks experienced by enterprises will be on data located in shadow IT resources, including shadow Internet of Things (IoT).
The reality is that IT is not in control of IoT adoption. IT was outpaced by BYOD, and IoT is growing even faster. With the number of connected devices set to top 11 billion in 2018 IT departments are falling behind, and are often forced to just let these devices connect. The risk of doing this is that each one is an endpoint that can potentially be taken over by a hacker. The devices have credentials into the network, and it doesn’t matter if there’s nothing on the device itself; it’s a gateway into your corporate and critical assets.
Organizations need to gain visibility into the devices on their networks, and take action to mitigate the risks they present.
Effective IoT security requires the consideration of key elements:
Objectives: Each company’s IoT initiative is different. Clear objectives need to be established before the right security can be implemented; it is important to adapt the overall security strategy to the organization’s goals.
Visibility: Discovering and classifying devices is critical — after all, you cannot secure what you cannot see. Agentless solutions that integrate with the entire network fabric are key. They can connect to all parts of the network and access all sets of data. In that way, they facilitate not only the discovery of devices, but also determine what types of devices they are (classification).
Control: Different devices need different types of controls. The first step is understanding what the device is, so you can set policies that define what the devices are supposed to do on your network, and what they’re not supposed to do. Through continuous monitoring, you can identify what they’re doing on the network and look for deviations from normal activity. If the device is compromised, the organization can alert, block and take actions based on policy.
Ecosystem Integration: The ability to secure IoT devices involves the entire security ecosystem. Take advantage of all of the other elements of security already in place; these tools can be leveraged. Firewalls can be used as enforcement mechanisms, for instance, and security information and event management systems (SIEM) can enhance monitoring and analytics. Bringing all of the tools in the environment together increases the ability to orchestrate visibility and response.
Professional IoT device assessments can help your organization understand the risks inherent in the devices you use, and take action to mitigate those risks.