The growing number of non-business related IoT devices on company networks is a growing concern in terms of both volume and variety. From connected medical wearables and sports equipment to kitchen appliances and connected cars… The vast majority of these devices are vulnerable to attacks. Companies are not prepared for this, a recent study reveals, and admit an overhaul is needed.
Growing Number of Networked Devices
Research company Vansom Bourne conducted a survey on IoT practices, commissioned by PaloAlto Networks. They polled 1,350 IT business decision-makers in 14 countries across Asia, Europe, the Middle East and North America. PaloAlto summarized the results in their IoT Security Report 2020. It reveals some of the threats posed by networked devices to large companies, and how CIOs view this issue.
The vast majority of respondents (95%) are confident that they have a good overview of the IoT devices on their organization’s network. Most also confirm the number of non-business devices is growing. Moreover, they see an increase in the variety of devices on the network. Besides typical hardware, such as laptops and smartphones, a number of IoT appliances, IoT gadgets and even electric vehicles are finding their way onto corporate networks.
According to the survey, the number of connected medical wearables has grown by 44%, followed by kitchen appliances (43%) and sports equipment (38%). This includes IoT connected skipping ropes and exercise machines in, for example, company gyms. Also growing is the number of connected gaming devices (35%), connected desk toys (34%) and… connected cars (27%)
Everything Needs to Be Secured
While decision-makers do seem to have a fairly good idea of the number and types of non-business related IoT devices on their network, they still have a long way to go in terms of securing them. 96% of respondents admit that current IoT security practices need improvement, with 17% stating a complete overhaul is needed. 41% say that they still need to make many improvements.
The researcher’s analysis also shows that many businesses are struggling with applying robust IoT security practices. For example, only one in five respondents (21%) use micro-segmentation to better secure IoT devices by having them on separate networks. This prevents cybercriminals “jumping” from a poorly secured IoT device to systems, devices and applications that are critical to the business.
24% of hose polled have not yet implemented this security measure, which is a cause for concern. Especially since it’s not only the devices that employees bring in that can cause problems. In most office buildings, many connected devices and appliances are being added yearly. All of these need to be secured. Some are more vulnerable than others, and some are near impossible to secure. Consider, for example, devices that are not being patched or are no longer supported.
Steps to Strengthen IoT Security
The IoT Security Report suggests five steps organizations can take to strengthen their security. The first step is to ensure complete visibility and regularly running network discovery scans. How many devices are on the network? What type of devices are they? What’s their risk profile? Next comes network segmentation. Organizations should divide their networks into groups and put IoT devices onto separate networks. This significantly reduces the possible impact of an attack.
Strong password security remains fundamental. Therefore, as soon as an IoT device is connected to the business’s network, the IT team should require the user to change a weak or default password. Equally important are patches and updates. The report also warns that most IoT devices are not designed to patch security flaws regularly. So, it’s up to the IT team to ensure they are aware of known vulnerabilities and ensure they are patched accordingly.
The fifth and last tip is to monitor IoT devices at all times. This is easier when devices are segmented in groups with different “device roles”. How are they behaving? What does the traffic look like? Is the data flow changing? The advantage is that most IoT devices are usually very static in their behavior and thus easier to monitor. Real-time monitoring systems continuously analyze this behavior and can raise red flags in time.