By Gary Audin
The MSP manages the networks of the customer. The customer wants to avail themselves of the data that Internet of Things (IoT) devices report and the endpoints they can control. You may discover that you customer’s employees are adding IoT devices to the network without authorization or reporting their existence.
Many consumer IoT devices are connected to the employees home networks and can be used as proxies to invade the business network. Many of the cheaper and consumer IoT devices have little or no satisfactory security.
The penetration of "non-business" IoT devices is increasing inside business networks. Devices such as smart lightbulbs, heart monitors, gym equipment, coffee machines, game consoles, and internet-connected pet feeders may not rise to the level in organizations’ threat models. This has become problematic because the security controls in consumer IoT devices are minimal. Keeping the IoT prices low leads to less security investment. Poor IoT device security stems results from manufacturers' goal to keep price points low. Security is considered an unnecessary overhead. The limited visibility combined with increased remote working leads to serious cybersecurity incidents.
The Palo Alto IoT security report “The Connected Enterprise: IoT Security Report 2021” provides insights into the use of non-industrial IoT devices and their penetration into business networks. Palo Alto Networks commissioned Vanson Bourne, a technology research firm, to survey “1,900 IT decision-makers at organizations in 18 countries in Asia, Europe, the Middle East, and the Americas on their primary IoT security issues.”
The key findings reported by Palo Alto are:
- COVID-19 and its impact have made it harder to keep IoT devices secure.
- Nearly all respondents (96%) who have IoT devices connected to their network reported their approach to IoT security requires an improvement. One in four (25%) indicated the requirement for an IoT security strategy overhaul.
- About half (51%) of the survey respondents who have IoT devices connected to their network reported that IoT devices are segmented on a separate network from the one they use for primary business devices and business applications.
- Technology executives are not sleeping well. Security cameras are a fine example of vulnerabilities. Palo Alto Networks research examined 135,000 security cameras in March 2021. They found that 54% of the cameras have at least one security vulnerability. This makes it possible for cameras to be hijacked and weaponized by setting up these devices as springboards to initiate attacks and access broader corporate networks.
The report listed the types of attacks that are encountered:
- Industrial Internet of Things (IIoT) attacks 55%
- Distributed Denial of Service (DDoS) 50%
- Breach of Connected Cameras 46%
- Breach of Internet of Medical Things (IoMT) 42%
- Breach of Connected Home Devices 37%
- Breach of Connected Wearables 32%
A separate report “State of Enterprise IoT Security in North America: Unmanaged and Unsecured” by Forrester Consulting was performed for Armis. The report by Forrester Consulting concluded that:
- “69% of enterprises have more IoT devices on their networks than computers.
- 84% of security professionals believe IoT devices are more vulnerable than computers.
- 67% of enterprises have experienced an IoT security incident.
- Only 16% of enterprise security managers say they have adequate visibility to the IoT devices in their environments.
- 93% of enterprises are planning to increase their spending on security for IoT and unmanaged devices.”
The Palo Alto report recommended that:
- Become familiar with your router by changing defaults and adding encryption such as WPA3 or WPA2.
- Ensure you know what devices are connected. Monitor for unauthorized devices.
- Segment WFH networks.
- Implement two factor authentications.
- Ensure you deploy security updates immediately.
The importance of implementing security solutions, practices, and controls that can identify and protect IoT devices cannot be underestimated. Business leaders are considering more IoT devices. The insights provided by these two reports can be used to focus on the improper and inadequate security controls on these devices. These lead the business and its customers to experience higher risks of data loss, physical damage, and revenue loss. Organizations should adopt an aggressive cybersecurity posture. When security protections are not deployed, businesses are more prone to be victimized by cyberattacks.