miércoles, 5 octubre 2022
Visitas totales a la web: 87930858

El portal de los profesionales de seguridad y emergencias

Nº 1 del mundo en español en seguridad global

Soluciones de seguridad global

‘Shadow IoT’: The growing corporate security blindspot

Darryl Jones

Businesses, manufacturers, and legislators each have their own role to play to manage the risks of ‘shadow IoT’

With only a third of workers set to return to the office by autumn, UK businesses will continue to have millions of employees working from home for the foreseeable future.

This change has required businesses to introduce a myriad of new policies and procedures to adapt, not least in the field of enterprise security.

For years, industry insiders have predicted IoT devices to surge in number. SoftBank’s COO, Marcelo Claure, boldly stated in 2018 that there will be 100 IoT devices for every person by 2025. That’s nearly a trillion IoT devices in total. What’s more, he said that businesses will increase their IoT spend by 96% in the next three years.

The pandemic has seen demand for IoT devices accelerate as homebound consumers buy devices to kit out their home offices. However, this new wave of IoT purchases, from WiFi routers and mesh networks to smart speakers and health-focused wearables, could undermine businesses’ security as the ‘enterprise’ becomes the worker’s home itself.

How secure is your IoT device?

The majority of IoT devices purchased for the home are relatively inexpensive, marketed to the average consumer, and often little effort is made to protect them at a hardware or software level.

What’s more, IT teams have no visibility over what devices employees own or the security measures that employees have (or haven’t) taken. With 15% of IoT devices owners still using default passwords, chances are high that most businesses have at least one employee with a vulnerable device.

And when that device resides on the same network being used by the worker for emails, file sharing and accessing protected data, a private vulnerability becomes a business problem. Malicious attackers suddenly have access to a greater array of attack surfaces associated with IoT devices ranging from hardware, networks, APIs and interfaces.

With no sign of a full-scale return to the office anytime soon, governments, manufacturers, IT security teams and employees all have a role to play in mitigating these risks.

IoT security 101 for corporate IT

The good news is that IoT device security principles are similar to those applied to other devices and data in general.

Given that these devices are beyond the view of IT and operations teams, they must instead put in place security tools that provide endpoint protection and monitor edge devices – early intrusion prevention and detection is still the best method to avoid breaches.

Encryption and other security applications should be assessed on corporate IT equipment which is deployed on the same network as consumer IoT devices. They are the first line of defense and need to provide the security measures that these devices, as has been outlined, frequently don’t provide as standard.

Their vulnerabilities should be evaluated against the attack surfaces outlined above, with action taken accordingly, e.g. stricter, real-time authentication processes for devices on corporate networks.

Employee education and basic cybersecurity training and awareness also plays an important role in mitigating risk. For example, connecting IoT devices to a separate network makes attacks much more difficult, so asking employees to separate work and consumer devices at a network-level could have a significant impact.

Basic password literacy is also another must and should be something most employees are already doing in their everyday lives – employees can be asked to, at a minimum, check and reset default passwords across IoT devices.

Manufacturers must step up and secure devices

Longer-term action will also be required from the manufacturers themselves. This applies even if they aren’t subject to legal requirements to secure IoT devices in the markets they operate in.

Manufacturers can face huge reputational damage, compromised intellectual property and a loss of consumer trust even if the breach is unintentional, e.g. the result of poor design.

Device-level identity management is a key way to secure IoT. Compromised passwords are the easiest and most common way to gain unauthorized access to devices – which is why legislation often targets this area.

Good credential management looks like a unique tamper resistant hardware identifier set at the factory with a unique complex password and a secure password reset process. Each password stored should also use an industry standard hash function and unique salt value. Using 2FA (two-factor authentication) is also recommended where possible.

The number of external network connections should be kept to the minimum amount that is necessary for the device to function so that access points are restricted and controlled.

This also applies to physical access points – all interfaces and ports which are used by the manufacturer to test or debug the device should be removed.

Many manufacturers are already taking this seriously but, for those that aren’t, this issue will eventually have to be resolved at a regulatory level.

National governments must mandate basic IoT security standards

Businesses with employees in more than one country will often face a patchy and confusing international regulatory framework on IoT device security.

The UK has stepped up in recent years in this regard. Two years ago, it launched the ‘Secure by Design Code of Practice’ for consumer IoT security.

Primarily aimed at manufacturers, it sought to bake in common sense security standards which included unique default device passwords, a minimum timeline for security updates, and a public point of contact to disclose vulnerabilities. However, manufacturers were not legally required to follow these guidelines.

That is until January 2020, when the UK government codified these guidelines into a new law that will force manufacturers who make IoT devices sold in the UK to follow them. This was a massive step towards protecting consumers – and by extension, businesses – by taking away the burden of responsibility to secure their devices and putting it back on the manufacturer.

Unfortunately, the US government has not followed suit. The US still lacks federal rules, despite warnings from the FBI about the risks from IoT devices as gateways to ‘primary devices’ like laptops on the same network.

In 2018, California became the first US state to regulate IoT devices under SB-327, requiring many of the same measures as the UK law above. It entered into force in January 2020. But for businesses operating in the majority of the US, a level of IoT risk looks unavoidable.

IoT security is a collective responsibility

Because the ecosystem is still so nascent there is no silver bullet for securing IoT devices at scale – manufacturers, legislators, enterprises, and employees each have their own role to manage and monitor the risks of IoT.

However, with some of these measures in place, businesses can have increased confidence that their corporate networks are secure and insulated from the threat of consumer IoT. Maybe then they can move onto tapping into the wealth of value-add opportunities they can provide.

Fecha de publicaciónseptiembre 29, 2020

BELT.ES no se hace responsable de las opiniones de los artículos reproducidos en nuestra Revista de Prensa, ni hace necesariamente suyas las opiniones y criterios expresados. La difusión de la información reproducida se realiza sin fines comerciales. 

Listado de Expertos


Profesión militar: Obediencia debida frente a la obligación de disentir

Con ocasión de la realización de estudios en el Instituto Universitario Gutiérrez Mellado tuve la ocasión de leer y analizar una serie de documentos de opinión que trataban en profundidad las diferentes facetas presentes en el campo de las relaciones cívico-militares; temas que , habitualmente, no han estado presentes en los diferentes cursos y actividades formativas en la enseñanza militar, ni, por supuesto, en la civil.

El amor de Macarena Olona por la Guardia Civil empieza por su pareja, un joven oficial condecorado

El padre de su hijo llegó a la Benemérita como militar de carrera y, los que le...

La artillería ‘made in USA’ comprada por Marruecos que deja fuera de juego a España

El país magrebí sigue reforzando sus fuerzas armadas a golpe de talonario, y no lo hace de...

Últimas noticias

Pilar Montero del grupo de emergencias en Patrimonio (UCM): «El terremoto de Lorca lo cambió todo»

La directora del grupo de investigación de Gestión de Riesgos y Emergencias en Patrimonio Cultural (GREPAC)...

La actriz de Hollywood que logró uno de los inventos militares más importantes del siglo XX

Hedy Lamarr pasó de huir del fascismo que se propagaba por Europa en los años treinta a enfrentarse directamente a él, creando...


El 19 de septiembre de 2022, ha sido un día que pasará a la historia del Reino Unido y la del resto del mundo. En ese día se ha producido el entierro de la reina Isabel II de Inglaterra tras su fallecimiento el día 8 de septiembre en el castillo de Balmoral (Escocia).

El pulso electromagnético, el arma que puede hacer retroceder a una ciudad al siglo XIX

Estados Unidos, Rusia y China trabajan en sus propios proyectos. El Pentágono cree que Irán y Corea del Norte también lo hacen.

Así se gestó un ‘atraco virtual’ de 240.000 euros a través de Bizum

Más de un centenar de personas participó en un entramado para desvalijar la cuenta corriente de una anciana tras detectar una debilidad...