The internet of things is changing the world as we know it, connecting devices to the internet to collect, transfer and exchange data. While IoT has been around for some time as part of Industry 4.0 and available in consumer products such as Fitbit, Nest and so forth, its applications in the enterprise are relatively new and constantly changing. Over time, businesses have realized that IoT applications have critical value, such as quantifying performance indicators, enabling efficiency mechanisms and optimizing corporate performance. Yet, in light of their increasingly widespread application, it’s time to discuss how IoT applications have evolved in the enterprise and what some of the hidden threats of engaging in IoT innovation may be.
The evolution of enterprise IoT
The internet of things first caught on in the industrial sector as part of the attempt to automate manual processes on the assembly line. A trend known as Industry 4.0 began in Germany and has now spread around the world, and involves transitioning to the “smart factory” in which IoT devices and cyber-physical systems communicate to carry out tasks. Since, enterprise IoT has expanded to nearly every sector and business unit — from retail to food and beverage and even to government and military — due to its benefits for productivity and data collection. Indeed, the strength of the IoT trend is backed by Gartner’s assertion that there will be 25 billion internet-connected devices by 2020, resulting in nearly $2 trillion in economic profit for those applying, purchasing and producing IoT technologies.
The evolution of enterprise IoT started out with simple internet-connected devices, such as VoIP telephones, printers and cameras. Instead of being hardwired onto the network, these devices can connect to the internet to improve performance within hyper-connected organizations. The keyword to remember here is can because the device, such as VoIP phone, doesn’t have to be connected — and in many cases, isn’t, but it can be connected if the need arises. This creates an area of vulnerability for enterprise because these relatively simple devices are usually overlooked in assessing network security needs, yet the potential for them to connect to the web could make them a gateway for cyberattacks.
The next stage of evolution in enterprise IoT is what you would call infrastructural IoT, or smart thermostats, water and electricity controls, and even kitchen appliances such as coffee machines and refrigerators. The main difference between infrastructural IoT devices and connected devices is that the former have an operating system installed that can be easily hacked and manipulated, while the latter only have the possibility of connecting to the web. Infrastructural IoT devices communicate with crucial endpoints on the network, such as switches, servers and computers. Therefore, using infrastructural IoT devices, hackers can apprehend the device and gain access to data stored on the network, creating the potential for data leaks and denial-of-service and malware attacks.
There is another more advanced kind of IoT device type that is relevant for enterprise: smart, data-collecting devices such as smart TVs and artificial intelligence gadgets. These have the same characteristics as the first two kinds of IoT devices — connecting to the internet and carrying out communications, but they are more advanced in that they collect and apply data. In a sense, these devices really have a mind of their own because they can make decisions based on machine learning and behavioral patterns and can even compile and share their own reports. While such devices have obvious benefits for businesses, including improved performance and efficiency, they present risks to the security of the enterprise network. The story of surveillance carried out over smart TVs is largely common knowledge by this point, but what many don’t realize is that smart TVs aren’t just listening to us, they are providing hackers with easy access to company data, conversations and network vulnerabilities. So, while investing in innovative technology has its benefits, the information the devices collect, share and apply put the enterprise network at risk.
Combating IoT risks
There’s no doubt that the evolution of IoT applications in enterprise settings has provided tools to streamline and improve businesses everywhere from the office to the factory and even in the kitchen. However, until official regulation is drafted that controls the security of these devices, organizations should remain alert to the underlying risks. To gain a hold on enterprise IoT security, organizations need complete visibility into the endpoints of all types connecting to their network, as well as mechanisms to control permissions and access for those endpoints.
A few best practices to live by for IoT in enterprise:
- Attain visibility into IoT devices, including their characteristics, location and network attributes. Visibility provides IT professionals with network knowledge that can be used to map out an IoT security strategy, help understand immediate IT security needs and as part of vulnerability or threat mapping. As more IT professionals are tasked with addressing cybersecurity concerns in the organization, an IoT visibility tool is key in helping them understand the state of endpoints on the network.
- Controlling access for IoT devices is just as important as seeing them. Segmenting IoT devices into a firewalled part of the network should be standard practice until security agents are made available for IoT devices. In addition, IT professionals should set specific access policies for IoT devices to control their connectivity, but they should also control access to the IoT device from other endpoints (for example, employees and contractors) to ensure that gateway attacks aren’t possible.
- Understanding device risk is another important practice seeing as there is still only limited information about IoT security vulnerabilities. If IT professionals can track normal and abnormal behavior for the IoT device, they may be able to prevent breaches and attacks carried out by accessing IoT devices. In the absence of authentication, assigning risk scores to IoT devices based on their network behavioral patterns is a great way to control hidden threats.
IoT may be the next big thing in enterprise technology, but the various types of connected devices that seem useful for a business have the potential to cause more harm than they help. If these risks are controlled with some of the abovementioned best practices, IoT can be engaged with in a healthier and safer fashion. If not, IoT has the potential to evolve into a minefield for cyber-risk in the enterprise.
Originally posted at IoT Agenda