When it comes to IoT and security, I think it’s nearly impossible to overstate the need and the critical nature of security readiness.
Laura DiDio, research director at 451 Research
“A wide variety of smart technologies are being integrated into an incredible variety of objects by a multitude of companies, often using novel technologies,” McNicholas says. “The drive to push these devices to market quickly, combined with the need for communication with a wide variety of other devices, will result in gaps that can be exploited and which will dramatically increase the attack surface of organizations.”
A number of factors determine just how great the security risk is with any given connected device.
“Obviously those with a bigger attack surface such as internet-facing devices have greater risk,” says Scott Laliberte, managing director and global lead of the security and privacy practice at consulting firm Protiviti.
Another factor is how common the device is. “The greater the adoption of the device, the more likely it is to be targeted by bad guys,” Laliberte says. “The theory is the attackers’ efforts will be focused on devices that reap them greater rewards by having greater impact.”
Also, the more complex a device is, the more device functions there are to protect, and the more there is that can go wrong. Finally, high-risk functionality will likely draw interest of people trying to wreak havoc. “The riskier the functionality, the greater the importance that the manufacturer secures the device effectively,” Laliberte says.
Device manufacturers need to make sure security is incorporated into the design and embedded in the product life cycle, Laliberte says. “Design the product to be easy for the consumer to secure,” he says. “Do not rely on them to perform critical activities needed to secure the device. They will likely not do it.”
Ultimately, users of IoT and the product manufacturers “have an obligation to install and create IoT products in ways that maximize usefulness and minimize risk,” Laliberte says. “The use of IoT devices is going to expand rapidly, and without adequate security we have the potential to introduce unknown dangers into our homes, workplaces and communities.”
The overwhelming amount of insecure and unsecured IoT devices worldwide practically ensures that we’ll continue to see attacks such as DDoS continue to proliferate worldwide for the foreseeable future, DiDio says.
While much of the focus is on protecting the network perimeter because it’s the so-called first line of defense, organizations can’t ignore key applications and servers located in the data center. “Another all too common security mistake organizations and IT departments sometimes make is the failure to physically secure devices,” DiDio says.
One of the first things an organization should do as it looks to bolster IoT security is gain a solid understanding of what IoT devices it currently has, as well as those it’s planning to deploy.
Sign up for CIO Asia eNewsletters.