Most enterprise security organizations are unlikely to have a spamming refrigerator on top of their list of things to worry about. But news earlier this year that an Internet-connected fridge was co-opted into a botnet that sent spam to tens of thousands of Internet users is sure to have piqued the interest of at least a few.
If nothing, the incident showed how even a benign consumer appliance could pose a danger to enterprises if connected to the Internet without proper security protections.
Over the next few years, analysts expect tens of billions of devices to be connected to the Internet in similar fashion. The so-called Internet of Things (IoT) phenomenon promises, or threatens, depending on your point of view, to transform our understanding of the Internet and a networked world. A lot of what will transpire will be on consumer-oriented products. But as with everything in technology, what happens in the consumer world will inevitably affect the enterprise.
Here in no particular order are six ways the Internet of Things will affect enterprise security:
1. The IoT will create billions of new (insecure) end points
Analyst firms have differing takes on the number of devices or "things" that will connect to the Internet by 2020. Estimates range from Gartner's 26 billion devices to IDC's somewhat dystopian projection of 212 billion installed devices. Regardless of which is right, the one thing that is certain is that a lot of IP-enabled devices will one day find a home inside enterprises. Examples include smart heating and lighting systems, intelligent meters, equipment monitoring and maintenance sensors, industrial robots, asset tracking systems, smart retail shelves, plant control systems and personal devices such as smart watches, digital glasses and fitness monitoring products.
Many of the products will be single-purpose devices that originate in the consumer market. Others will have Internet connectivity added, almost as an afterthought, via cheap sensors. A vast majority will have little to no protection against common online attacks. The operating system, firmware and patch support that IT organizations have long been accustomed to, will not always be available with these devices.
The IoT inherently creates billions of insecure new endpoints, said Eric Chiu, president of cloud security vendor Hytrust. These IP-addressable devices will create new vectors of attack designed to either compromise the device or gain access to the enterprise network.
IoT devices will typically not be protected with whatever anti-spam, anti-virus and anti-malware infrastructures are available, nor will they be routinely monitored by IT teams or receive patches to address new security issues as they arise, Chiu said.
The idea that enterprises can somehow control whom to let in is going to go out the window, Chiu said. "Companies will have to just assume the bad guy is already there," and respond accordingly. This does not mean abandoning perimeter defenses. Rather it means adopting a strategy that starts with presuming the attackers are already in the network, he said.
Sign up for CIO Asia eNewsletters.