Concerns about securing the Internet of Things have not stopped firms from implementing IoT. Fueled by the potential of IoT to help reduce costs, improve efficiency, and provide more visibility into all facets of operations, manufacturers continue to push plans to roll out connected IoT technology.
Manufacturers and consumers cannot afford to be complacent about IoT deployment anymore. Unsecured IoT devices leave enterprises vulnerable to data theft, physical damage, revenue loss, reputational damage, and more.
Concurrently, IoT offers many benefits around efficiency, productivity, and innovation, and companies cannot afford to hold off indefinitely on deploying IoT technology. Inaction carries its own serious risk of losing ground to competitors that act more quickly to seize the advantages of IoT.
Therefore, the best approach is to deploy IoT carefully by using disciplined processes to minimize danger. Here are six steps that companies can take to find solutions to IoT security issues:
- Determine which parts of the business might be most vulnerable or exposed to attacks on IoT devices. Start by compiling a full inventory of IoT devices deployed throughout the organization. Then, assess the extent to which these devices pose a risk to various enterprise platforms, networks, and cloud integrations. Prioritize securing IoT devices where hackers can cause the most mayhem if they manage to find access.
- Build a collaborative, multi-layered defense. IoT devices typically have many stakeholders, so any successful plan to mitigate IoT risk will depend on strong collaboration across business units. By working together, these diverse stakeholders can build multiple layers of security to harden the company’s defenses and improve the ability to contain the damage should any IoT-related attack arise.
- Practice and prepare for worst-case scenarios. Good cyber security operations regularly run ‘fire drill’ exercises simulating breaches in order to test the organization’s response plan. Given the unique challenges involved in detecting and responding to IoT breaches, it makes sense to run IoT-specific attack simulations. Companies can use their experience with these simulations to create defense playbooks.
- Develop comprehensive IoT security skills. The cyber security team tasked with IoT protection should be able to secure the operating systems and firmware of the devices themselves, while also providing API security in case of platform or third-party integrations. To offer the best possible IoT protection, the team should have expertise in authentication, device hardening, and strong encryption through proper crypto key management.
- Work for stronger security in the IoT devices themselves. Companies can communicate their security concerns to IoT device manufacturers and announce that built-in device security will play a major role in future purchasing decisions. Companies should also lobby governments and regulatory authorities to impose stricter security rules on the IoT industry; there are signs that some jurisdictions are starting to impose such rules. For example, by 2020, any IoT device sold in California will either need to ship with a unique password or make users choose their own password the first time they power up the device.
There is evidence that IoT device manufacturers can be encouraged to self-regulate. In the healthcare industry, some major IoT device manufacturers have formed a consortium to push for tighter industry standards on privacy and security. To protect patient privacy, these manufacturers are working to ensure that IoT devices do not store any personally identifiable information (PII).
- Continuously audit and monitor IoT device settings and health.Threats against IoT are always changing. To maintain strong IoT security, companies must have procedures in place to always equip IoT devices with the latest patches against known threats. Companies need to constantly scan their networks to detect IoT-related anomalies so they can actively investigate suspicious activity and contain the damage quickly in case any breach occurred.