The scale of enterprise internet of things (IoT) is expanding faster than many organizations can keep up with.
Connected devices are now widespread in enterprises, manufacturing facilities and hospitals. In a modern warehouse, everything from robot assistants and security cameras to the HVAC system are connected to the internet. Meanwhile, today’s hospitals are filled with a slew of new medical devices to take vital signs or administer care.
BACpress : Connected devices are estimated to reach 25 billion by 2021. But here is the unnerving part: Up to 90% of these devices will be unmanaged and what is referred to as “un-agentable.” These devices will not be able to be protected by traditional cybersecurity solutions.
This makes the need for enterprise IoT security all too clear. Many business networks are connecting to more and more devices with no solution to see, manage or secure them.
In fact, our data shows that most companies can’t see 40% of the devices in their environments. Despite this risk, various myths and misconceptions can keep these threats from being properly addressed. Let’s look at some of the common myths related to enterprise IoT devices and how they leave businesses at risk.
Myth 1: IoT devices are a consumer problem, not an enterprise problem
The first thing most people think of when they hear “IoT device” is the smart speaker in your living room or the refrigerator that tells you when the milk has run out. But the real danger lies not in your home refrigerator but the one holding next year’s flu vaccine. Industries, and therefore consumers of those industries, rely on connected industrial control systems for the manufacturing and transport of goods, plastics, chemicals and food. What if someone were to hack and disrupt that process? An unmanaged or enterprise IoT device includes everything from printers, VoIP phones and smart TVs to security cameras, routers, badge readers, infusion pumps, MRIs, ventilators and even smart forklifts.
Meanwhile, devices are being brought into the workplace by employees, vendors and even our own facilities teams. All these new devices are designed to connect people and the business, and they drive collaboration. But when these devices become connected to the company networks, they become an enterprise unsecured endpoint and create a new kind of exposure.
Enterprise IT is responsible for both managed, unmanaged and un-agentable devices. If the business is compromised because of a connected device — whether IT knew about it or not — it’s still their responsibility to manage the impact.
You need to be able to account for all devices in your environment at all times.
Myth 2: There aren’t that many devices in use.
There is a common misperception that there are not many un-agentable devices across the enterprise. Data from analysts and from our research shows that these devices are already outpacing the number of managed devices — desktops, laptops, servers, etc. — across an organization.
These connected devices are everywhere in manufacturing, power and utilities (ever hear of a pipeline sensor hacked for Bitcoin mining? We have.). More business processes are being automated or connected to the internet to drive productivity, efficiency and data gathering. Imagine if any of these systems were compromised.
Here is an exercise: Next time you are in a meeting, count up all the devices in the room around you that are not company laptops. There’s the smart TV, smartphones, smart lighting, HVAC, web cameras, tablets, personal devices, etc. The numbers become quite obvious.
Businesses must gain visibility into all of the devices on their network so they know where potential vulnerabilities lie. One best practice is to establish lines of communication and rules of engagement for IoT within your enterprise — involving your IT teams and suppliers — so that there’s constant visibility into how connected devices are deployed and managed.
‘Smart’ Doesn’t Mean ‘Secure’: Four IoT Myths That Leave Enterprises Vulnerable
Myth 3: IoT devices aren’t attacked often.
Who would bother to hack into your conference room’s smart TV or the badge reader you swipe to get into work? What could they possibly gain?
The answer: More than you’d think. IoT attacks increased 200% from 2017 to 2018, and we expect that trend to continue. In August, Microsoft released a report warning that hackers can breach secure networks through simple IoT devices.
IoT vulnerabilities aren’t just about data theft. An enterprise IoT breach can result in data manipulation.
Imagine an attack showing false results on a CT scan in a hospital. Or a hacker attacking a manufacturer so that everything coming off the production line is built wrong. The threat of network disruption could mean operational impact and bottom-line losses, and could even jeopardize physical safety. We’ve seen ransomware spreading across a hospital’s flat network and infecting MRI machines. In another case, we found compromised security cameras that were part of a botnet trying to infect other cameras and routers on their network.
Hackers seek the path of least resistance to gain entry to a company, a network or a device. Today’s enterprise IoT devices have no inherent security, and you can’t install any security software or agents on them. That’s why I call unmanaged or IoT devices “un-agentable devices.” And that makes them a prime target for hackers and other bad actors.
IoT devices must be identifiable, maintained and monitored by security teams, especially in large, distributed enterprises. They must also be protected. That means gaining control over each device so that when (not if) it’s attacked, you can more quickly halt infection.
Myth 4: Traditional enterprise security protects enterprise IoT devices.
Our legacy devices required a traditional approach to security. But this approach breaks down in a world of devices where you can’t install an agent; where devices talk to each other through Bluetooth and other protocols; when networks or perimeter solutions don’t track traffic; and where you whitelist new devices on the network, but can’t detect if they’re under attack or compromised. Sure, you can control your employees’ laptops, but can you control your vendors’ laptops? Or the smart TV that just went into the board room? Or the smartwatch on your CEO’s wrist that is connected to his or her smartphone, that is connected to your corporate network?
Just because we call it a “smart” device does not mean it’s secure. And just because it is on the network behind your firewall does not mean it can’t be attacked or compromised. If you can’t see a device or know what it is doing, there is no way you can protect it.
Enterprise IoT delivers the promise — and reality — of operational efficiencies and improved productivity. But we’ve built it without security. And if left unprotected, the exposure could result in bottom-line damages.