The Internet of Things (IoT) is often perceived to be a futuristic concept, prompting images of robots, self-driving cars and automated workplaces. The reality is, however, that the Internet of Things is already here and its use will be broader than anyone can imagine today).
Our world is already loaded with Things. And, as in life, it’s often the Simple Things that matter most. Consider the lowly printer as a case in point. For decades, a printer was no more than an automated typewriter attached to a computer. There was no inherent intelligence and very little complication. But then came an evolution to multifunction and networked devices. Scanning, faxing and copying capabilities were added, along with both wired and then wireless networking.
As with all other devices, the increase in options and capabilities comes with a commensurate increase in complexity and processing power. And this complexity and processing power means that rather than being an extension of a well-controlled computing device, the device itself is an integral part of the network, and, as such, it must be secured.
So what makes a printer—or any other Thing—a thing rather than a computer? One of the primary distinctions is the lack of a well-defined user interface and an accompanying ability to have full-blown security and/or security agents present.
There is a long tail of common IoT devices connected to networks today that are inherently unsecured: Video surveillance systems including webcams, scanners, door-security alarms, smart TVs, fire alarms, lighting controls, point of sale devices, medical devices, SCADA devices—and the list continues. What’s more, the first documented security incident is already a fact of life—webcams being used by hackers to attack websites).
The concept of unmanaged devices being connected to the network in itself is not new. The first wave of devices that really changed the way companies needed to secure their networks was linked to wireless and the use of BYOD devices that started with the introduction of the Apple iPad back in 2010. What is new, though, is the scale of use of IoT devices in corporate networks. According to Gartner, there are six billion devices connected to networks today. In less than four years, that number will quadruple to more than 25 billion devices in 2020!
In order to see the impact of IoT on corporate networks, and how they secure those networks, ForeScout sponsored a survey of 350 security professionals). The results are shocking. The majority of respondents acknowledge the growing number of IoT devices on their networks, yet they are unaware of how to properly secure them.
Several responses raised cause for concern. For example, one question asked security participants: How confident are you that you know all the IoT devices that are connected to your network as soon as they are connected and that you can control these IoT devices so cybercriminals can’t use them as doorways into your network?
Only 15 percent of the respondents felt confident they could see all IoT devices connected to their network. In addition, 70 percent of them lacked confidence in their ability to see connected devices as soon as they joined their networks, and almost half said that they weren’t confident at all.
When connected devices are left out of the security sphere, an organisation’s attack surface becomes much more vulnerable, as you cannot protect what you cannot see.
Perhaps the most shocking finding of the survey came from the question: Which of the following most accurately describes your organisation’s current primary approach to securing IoT devices on your network.
- 27 percent either didn’t know or know that they do not use anything to secure their IoT devices.
- 47 percent use traditional methods to secure IoT devices; methods that were designed for intelligent computing devices and have proven not to be sufficient.
- Only 19 percent use specialised agents—which are largely non-existent for IoT.
The bottom line is that securing IoT requires a new paradigm, which is not yet widely in use.
This survey demonstrates not only how pervasive IoT is within the enterprise, but also how much confusion there is around how to secure it. Every day, new ‘things’ are being added to corporate networks with little regard to their level of security risk. Each insecure device represents a vulnerable point-of-entry into a company’s larger network and organisations are starting to realise this. Now is the time to start looking for ways to address it, before any significant damage is done.