Iot at work – don’t fall foul of the hidden dangers
The Internet of Things is growing fast. According to analysis from ABI Research for Verizon, the number of IoT devices is expected to expand from 1.2 billion devices in 2015 to 5.4 billion connected devices worldwide by 2020. But this exponential growth also brings with it higher security risks, writes Mike Simmonds, the managing director of Axial Systems.
72% of the security experts surveyed for ISACA’s 2015 IT Risk/Reward Barometer, said they don’t believe device manufacturers are implementing sufficient security measures in IoT devices, and 73% said existing security standards in the industry do not sufficiently address IoT specific security concerns.
These figures demonstrate significant risk. And the severity of that risk is further underlined by the assertion from 56% of the sample that their organisation’s IT department is not aware of all of its connected devices.
The blurring of the boundaries between home and office life is raising the stakes and making it even harder for IT to exercise control. One of the first questions many new employees ask when joining an organisation is “how can I connect my mobile phone up to the corporate email?” It increases the connectivity of the organisation, of course and drives enhanced productivity but it also means they are bringing new levels of insecurity into the business.
This is the key challenge that every company today is having to wrestle with, as the Internet of Things continues its onward march. They may decide they want to have a trust-based business model that drives flexibility but they can’t afford for that stance to negatively impact the security of their business.
Organisations should really ask themselves – first, do they allow this expansion of the corporate Internet of Things at all? Second, if they do, what corresponding security do they impose on the individual? The use of personal mobile phones in the office environment is an issue in itself. Most people only use a simple password on their phones and its relatively easy for anyone to replicate them, or effectively socially engineer that person into releasing information they should not.
Equally too, once a personal device has become connected to the network and that individual leaves the business, he or she will take those emails and contacts with them. If the business does allow this to happen, there has to be a policy that gives the company rights, if needed, to access that individual’s phone and remove all corporate information. Alternatively, the company will need to employ technology, allowing it to remotely wipe all of the business contents on the phone.
But the threat posed by the Internet of Things extends beyond the simple mobile phone. The potential risks are everywhere. The latest vogue is for connected smart TVs in the company boardroom. The most cutting edge are voice activated but have you stopped to consider the security ramifications? The voice recognition capability is typically on the Internet rather than the device itself so private conversations conducted in the room while the device is on could be being transmitted externally. Corporate laptops connected up to home networks will almost certainly be subject to less stringent security controls than when used in the office environment and therefore more prone to viruses and phishing attacks. The latest camera phones, computer apps and intelligent personal assistants bring additional concerns.
Get the balance right
It’s important to put this in perspective, of course. Movements like home and remote working; BYOD and the Internet of Things have transformed the business environment, bringing enhanced flexibility, operational efficiency and raised productivity. Too many restrictions can stymie those developments, making home working less flexible and productive and negatively impacting morale.
That said, in today’s increasingly Internet of Things enabled age, businesses must put certain ground rules in place to ensure that their security is never compromised. Technology can only go so far but if that technology is open or insecure then you run the risk of letting something onto the network that you really shouldn’t from internet-enabled cameras to smart TVs to a host of other uncertified devices. Best practice would be to implement technology to prevent any interaction with bad websites and exploited locations, for example. But before you do this, you need to put policies in place.
Any new device plugged into the corporate network should be authorised. Moreover, visitors to the business should only be allowed onto a guest network – which should also be time-limited to prevent repeated use of company resources over time.
Contractors should never be allowed to come in with their own hardware; connect it up; and do what they want on your network. When it comes to security, the mantra should be ‘if you don’t know, the answer is no’. The Internet of Things is about convenience and enhanced capability but if you want to access its benefits, you need to understand its risks and ensure you don’t fall foul of the hidden dangers.