Businesses, manufacturers, and legislators each have their own role to play to manage the risks of ‘shadow IoT’
With only a third of workers set to return to the office by autumn, UK businesses will continue to have millions of employees working from home for the foreseeable future.
This change has required businesses to introduce a myriad of new policies and procedures to adapt, not least in the field of enterprise security.
For years, industry insiders have predicted IoT devices to surge in number. SoftBank’s COO, Marcelo Claure, boldly stated in 2018 that there will be 100 IoT devices for every person by 2025. That’s nearly a trillion IoT devices in total. What’s more, he said that businesses will increase their IoT spend by 96% in the next three years.
The pandemic has seen demand for IoT devices accelerate as homebound consumers buy devices to kit out their home offices. However, this new wave of IoT purchases, from WiFi routers and mesh networks to smart speakers and health-focused wearables, could undermine businesses’ security as the ‘enterprise’ becomes the worker’s home itself.
How secure is your IoT device?
The majority of IoT devices purchased for the home are relatively inexpensive, marketed to the average consumer, and often little effort is made to protect them at a hardware or software level.
What’s more, IT teams have no visibility over what devices employees own or the security measures that employees have (or haven’t) taken. With 15% of IoT devices owners still using default passwords, chances are high that most businesses have at least one employee with a vulnerable device.
And when that device resides on the same network being used by the worker for emails, file sharing and accessing protected data, a private vulnerability becomes a business problem. Malicious attackers suddenly have access to a greater array of attack surfaces associated with IoT devices ranging from hardware, networks, APIs and interfaces.
With no sign of a full-scale return to the office anytime soon, governments, manufacturers, IT security teams and employees all have a role to play in mitigating these risks.
IoT security 101 for corporate IT
The good news is that IoT device security principles are similar to those applied to other devices and data in general.
Given that these devices are beyond the view of IT and operations teams, they must instead put in place security tools that provide endpoint protection and monitor edge devices – early intrusion prevention and detection is still the best method to avoid breaches.
Encryption and other security applications should be assessed on corporate IT equipment which is deployed on the same network as consumer IoT devices. They are the first line of defense and need to provide the security measures that these devices, as has been outlined, frequently don’t provide as standard.
Their vulnerabilities should be evaluated against the attack surfaces outlined above, with action taken accordingly, e.g. stricter, real-time authentication processes for devices on corporate networks.
Employee education and basic cybersecurity training and awareness also plays an important role in mitigating risk. For example, connecting IoT devices to a separate network makes attacks much more difficult, so asking employees to separate work and consumer devices at a network-level could have a significant impact.
Basic password literacy is also another must and should be something most employees are already doing in their everyday lives – employees can be asked to, at a minimum, check and reset default passwords across IoT devices.
Manufacturers must step up and secure devices
Longer-term action will also be required from the manufacturers themselves. This applies even if they aren’t subject to legal requirements to secure IoT devices in the markets they operate in.
Manufacturers can face huge reputational damage, compromised intellectual property and a loss of consumer trust even if the breach is unintentional, e.g. the result of poor design.
Device-level identity management is a key way to secure IoT. Compromised passwords are the easiest and most common way to gain unauthorized access to devices – which is why legislation often targets this area.
Good credential management looks like a unique tamper resistant hardware identifier set at the factory with a unique complex password and a secure password reset process. Each password stored should also use an industry standard hash function and unique salt value. Using 2FA (two-factor authentication) is also recommended where possible.
The number of external network connections should be kept to the minimum amount that is necessary for the device to function so that access points are restricted and controlled.
This also applies to physical access points – all interfaces and ports which are used by the manufacturer to test or debug the device should be removed.
Many manufacturers are already taking this seriously but, for those that aren’t, this issue will eventually have to be resolved at a regulatory level.
National governments must mandate basic IoT security standards
Businesses with employees in more than one country will often face a patchy and confusing international regulatory framework on IoT device security.
The UK has stepped up in recent years in this regard. Two years ago, it launched the ‘Secure by Design Code of Practice’ for consumer IoT security.
Primarily aimed at manufacturers, it sought to bake in common sense security standards which included unique default device passwords, a minimum timeline for security updates, and a public point of contact to disclose vulnerabilities. However, manufacturers were not legally required to follow these guidelines.
That is until January 2020, when the UK government codified these guidelines into a new law that will force manufacturers who make IoT devices sold in the UK to follow them. This was a massive step towards protecting consumers – and by extension, businesses – by taking away the burden of responsibility to secure their devices and putting it back on the manufacturer.
Unfortunately, the US government has not followed suit. The US still lacks federal rules, despite warnings from the FBI about the risks from IoT devices as gateways to ‘primary devices’ like laptops on the same network.
In 2018, California became the first US state to regulate IoT devices under SB-327, requiring many of the same measures as the UK law above. It entered into force in January 2020. But for businesses operating in the majority of the US, a level of IoT risk looks unavoidable.
IoT security is a collective responsibility
Because the ecosystem is still so nascent there is no silver bullet for securing IoT devices at scale – manufacturers, legislators, enterprises, and employees each have their own role to manage and monitor the risks of IoT.
However, with some of these measures in place, businesses can have increased confidence that their corporate networks are secure and insulated from the threat of consumer IoT. Maybe then they can move onto tapping into the wealth of value-add opportunities they can provide.