Enterprise IoT Devices Proliferate with Promise and Security Risks

Sep 18, 2015

Article ImageConsumer products like fitness trackers and smart thermostats are among the most easily identifiable "things" of the Internet of Things. But the IoT also has a buttoned-up side. Many enterprises are deploying sensor-packed devices that gather data and can communicate with other devices through the internet. Their benefits can be wide ranging, and they include the potential for improving decision-making capabilities and creating efficiencies through automation. There's a catch, though: These data-rich, connected technologies can pose security risks. Cybercriminals have their eyes on the IoT, too.

"Every time you connect something to the internet, it becomes communicable--meaning it can both communicate and be communicated with," says Jessica Groopman, research director and principal analyst at Harbor Research. "We expect the constituencies with which the device is communicating to be identifiable, authenticated, and secure, but that is not always the case."

Growing IoT Uses for Businesses

Momentum for smart devices in the workplace is building. A February Verizon report forecasts the number of business-to-business IoT connections globally will grow from 1.2 billion in 2014 to 5.4 billion in 2020. The report also estimates that today, just 10% of enterprises have adopted IoT extensively.

Those that have launched IoT ecosystems span across industries. For instance, utility companies are using smart meters to access customers' energy usage data. Retailers are using beacons to send coupons to in-store customers. Healthcare providers are linking drug dispensaries, MRIs, and insulin pumps to their networks. And, auto insurers are asking members to install diagnostic plugs into their vehicles that monitor their driving habits; the insurers are rewarding good drivers.

IoT Headaches for Security Professionals

So far, the IoT hasn't been significantly linked to cyberattacks. Most of the reported examples of IoT device breaches have just been proofs of concept, according to another Verizon report.

Still, cybercriminals have incentives to pounce. The devices could contain data that hackers may wish to use or sell. Likewise, hacking into the machines could potentially lead to bigger gems on the network, like a company's intellectual property. Meanwhile, network defenders face a number of challenges securing the IoT. There aren't widely adopted security practices for the technologies, for instance, and they often rely on the cloud to store information, which itself can have safety risks.

Likewise, many IoT devices connected to a company's network are typically managed by a third party, according to Tom Byrnes, CEO of the cybersecurity firm ThreatSTOP.  As a result, an organization's IT department isn't always able to patch software, which leaves vulnerabilities in the devices.

Making matters worse, in the rush to market, many IoT manufacturers don't make security a priority. "If you are designing something with security as one of its main features from day one, your development time and cost are a lot higher," says Stu Sjouwerman, CEO of KnowBe4, which provides security awareness training.

Security problems are already becoming apparent. A July HP Fortify study found 100% of tested smartwatches contain significant vulnerabilities, including insufficient authentication, lack of encryption, and privacy concerns. Fears about IoT security are surfacing at a time when companies are already struggling to defend their assets. The 2015 US State of Cybercrime Survey found that 79% of survey respondents said they detected a security incident in the past 12 months - and that only accounts for the known incidents.

Deploy Now or Later?

Assessing the risks of adopting IoT devices isn't easy. Asking the right questions can help, and a recent report by OpenDNS Security Labs offers a handful to consider. They include: Who is responsible for the storage, resilience, and protection of data? What data is being sent, stored, and how long is it retained? And how, and to where, does the device communicate?

Some organizations may feel a competitive tug to jump into the IoT, but there's an argument for holding off, too. "I would be quite conservative in the adoption of IoT devices to begin with because it's all 1.0," Sjouwerman says. "You want to stay away from IoT devices until the first shakeout is over and until some market leaders have shown up, who are then required to build some security in."

(Image courtesy of Shutterstock.)