Internet of Things (IoT) devices are regarded within cybersecurity circles as some of the least secure, and therefore one of the biggest areas of vulnerability in an organization. IoT devices are so ubiquitous and connected to the broader enterprise that ensuring they are protected is one of the biggest challenges facing cybersecurity teams.
The McKinsey Global Institute has estimated that 127 new IoT devices go online every second, so it’s a challenge that will only grow. With employees working from home and connecting different devices to corporate networks, there is further cause for concern, and it is something that needs to be addressed, or the connected world that we rely on could be at threat.
What is the best strategy for IoT cybersecurity, and how should organizations approach it?
The ongoing rise of IoT devices
The IoT is by no means a new technology. Devices connected to the internet have been around for decades, but it feels like the last five years have seen a truly dramatic surge in the number of such devices.
Not only are they greater in volume, but they have assumed far greater importance in our lives. Where amateur runners would once go for a run using just a stopwatch, many now capture all manner of data (heartbeat, pace, distance, steps) from their smartwatch and upload that immediately to an app, often via a laptop.
Some people have personal devices, but others will use a work laptop for that type of activity. And that’s just one example of thousands. Clearswift research in 2020 with UK public sector workers found that 38% use personal USB sticks at work at least once a week (38%), and one-third use unauthorized devices at least once a day.
People are connecting more devices to workplace systems and networks than ever before. When you then factor in all the industrial IoT devices used in manufacturing, construction, agriculture, health, and more, and the number of machine-to-machine interactions that take place, only then does the scale of the cybersecurity challenge become clear.
IoT and locking down the supply chain
Part of the cybersecurity challenge with IoT is that an organization is only ever as strong as its weakest link. And given that the business world is now so interconnected, it's not unreasonable to assume that a one-off IoT breach in an organization could have significant ramifications for its entire supply chain.
Every organization connected to that business could be at risk, so it's clear that addressing IoT cybersecurity and keeping supply chains locked down is a priority. In Q4 2020, Fortra research with CISOs in FS firms found that nearly half of those believed cybersecurity weaknesses in the supply chain could cause the most damage.
So, it’s a complex and potentially damaging situation that requires a constantly evolving solution. But there are three main areas of focus for any organization aiming to stay on top of its IoT cybersecurity.
1. Understand your IoT environment
Knowing which IoT devices are connecting to your network at a given time is hugely important. Without that element of basic control, any cybersecurity team will struggle to keep the organization secure. There are many device identification tools available, and cybersecurity teams should run regular audits of the IoT environment with the ultimate aim of maintaining a real-time inventory.
From here, it’s much easier to understand the potential threat and put in place the solutions to mitigate risk.
2. Protect your data at all costs
Many cybersecurity attacks target an organization’s data, including when attempting entry to a network via an IoT device. Because there are so many IoT devices, there is more sensitive data shared across a network than ever, meaning billions of data points are potentially at risk.
This is where the Fortra data security suite can help. This offers data classification to identify, label, and control data, Managed File Transfer to apply encryption and access control policies to files, and an Adaptive Data Loss Prevention (A-DLP) solution to detect and prevent unauthorized disclosure before the data breach occurs.
3. Educate employees and establish processes
Employee education as to what is and what isn't acceptable is imperative. This includes providing clear policy on the use of devices to connect to the network and guidance on what an employee should do if they use an IoT device and think a breach has occurred.
These processes should include details on who to contact and establishing the chain of events to minimize any impact from the breach.
Now in 2022, the volume of IoT devices in the enterprise will only increase. This means cybersecurity teams face more and more potential vulnerabilities and must remain alert to the possibility of an IoT breach and be ready to deal with one if it does occur.