There will be close to 8 billion connected things to company networks and ultimately the Internet, more than the human population, by 2020. These devices include physical security devices such as cameras, door locks, motion and fire detectors, phones, televisions, purpose-built medical or manufacturing appliances, robots, vehicles, sensors, reporting platforms, communications and presentation systems.
Many devices that only several years ago didn’t live on the computer network have become IP enabled and are now communicating on the same cables, switches and firewalls as computers, servers and printers putting corporate data at risk.
These devices create a growing security and compliance risk for companies that don’t have the resources to deploy, manage and maintain them in a manner consistent with IT security best practices.
Answering these five questions before allowing IoT devices on the company network can reduce risk of a breach and data loss.
- How is firmware, security patches and software updates applied and maintained on the devices?
- Much like computers and servers, IoT devices have firmware, security patches and software updates to be applied. IoT devices present challenges based on their number, variety and how they communicate on the local network and to the cloud. Challenges also include whether the device is updated locally by physically connecting to it or updates can be pushed over the network. Devices become obsolete more rapidly which will preclude them from being patched and updated which increases their vulnerability. A device management system will need to be put in place to insure devices are maintained in a timely manner and identified for retirement when patches are no longer available.
- How are devices authorized on the network and credentials maintained?
- Devices should authenticate themselves to the network, like a computer authenticating to a server or network port, prior to being able to access data and transmit it outside of the network. Strong passwords and certificates will help resolve security issues but at a minimum, factory default passwords need to be changed and the network configured to only accept known devices.
- How is communication established between the device and the network?
- Once a device has been authorized and is secure on the network the transmission of data must utilize transport encryption, such as TLS, for data in motion. Confidentiality of data is a precursor to most IT compliance frameworks such as HIPAA.
- How is data stored and processed?
- Much like the transmission of data needing to be secure, it must also be secure where it is stored and processed. Encryption is necessary in the cloud as well as enforcing data retention/storage rules to discard data that is no longer needed.
- How are vulnerabilities and breaches detected and remediated?
- Regular vulnerability scanning is a cornerstone of IT security. Various tools can scan all IT assets, which includes IoT, so that known vulnerabilities can be identified and remediated which often encompasses what is happening with our first question regarding patching and updates. The vulnerability database is expanding in number every day, currently at 111.898, as vulnerabilities are found and exploited by hackers. There have been numerous examples of IoT devices having a vulnerability exploited for access to a network and the loss of data including security cameras, thermostats, door bells and cardiac devices.
The IoT tsunami is already here and will not subside. It is dramatically changing the underlying networks for businesses and consumers but answering these questions and working with your IT partner is the best way to minimize the risk that is growing with each new device that is on your network.
Scott Cooper is the President of Tower 23 IT, an IT outsource solution for small to medium businesses specializing in protecting client health and financial data to meet privacy, compliance and security requirements in the healthcare, legal, financial, real estate and insurance industries. Scott can be reached at scottc@Tower23IT.com or 858.877.6219.