The internet of things, or IoT, is pervasive these days in your personal life. However, this technology is just getting into the Global 2000 companies. Yet most of the Global 2000 companies are unaware of the risks that they are bringing to IT and cloud security with their IoT adoption.
How did this happen? Well, for example, as thermostats and sensor fail in buildings’ HVAC systems, they are often replaced with smart devices, which can process information at the device. These new IoT sensor devices often are computers unto themselves; many have their own operating systems and maintain internal data storage. IT is largely unaware that they exist in the company, and they are often placed on the company’s networks without IT’s knowledge.
Besides the devices that IT is unaware of, there are devices that it does know about but are just as risky. Upgrades to printers, copiers, Wi-Fi hubs, factory robots, etc. all come with systems that are light-years more sophisticated in intelligence and capabilities than what came before, but they also have the potential of being turned against you—including attacking the cloud-based systems where your data now resides.
Worse, many of these IoT devices are easily hacked, and so can easily become agents for the hackers lying in wait to grab network data and passwords, andeven breach cloud-based systems that may not have security systems that take into account access from within the company firewall.
And don’t let price be a proxy for secrity level: I’m finding that the more specialized and expensive that the devices are, the more they are likely to have crappy security.
This is going to be a huge issue in 2018 and 2019; many companies will need to get burned before they take corrective action.
The corrective action for this is obvious: If the IoT device—no matter what it is—cannot provide the same level of security as your public cloud provider or have security systems enabled that you trust, it should not be used.
Most IoT companies are improving their security, even supporting security management by some public clouds. However, such secure IoT devices are very slow to appear, so most companies deploy what is available in the market: IoT devices without the proper security systems bundled in.
Sadly, I suspect that IoT security will be mostly a game of Whack-a-Mole over the next several years, as these things pop up on the corporate network regularly.
That’s really too bad. We finally just got cloud security right, and now we’re screwing it up with new thermostats and copiers that make all that good security worthless.