Security specialists have warned that a high number of companies around the world are embracing the Internet of Things (IoT) without fully understand the risk IoT devices, putting their customers’ data in great danger.
“From a security perspective, the world is simply not ready for IoT,” said Rob Sadowski, director of market insight and technology solutions at RSA – the security arm of EMC.
“It’s just another thing that’s absolutely continuing to expand what we call the attack surface. It’s just another place where an attacker can find a vulnerability or can find a foothold an get in. It’s expanding the number of things that we need to defend or at least understand from a policy perspective.”
Speaking at EMC World in Las Vegas this week, Sadowski said there are a few important questions companies need to ask themselves if they are to utilise IoT devices securely.
Do you know what devices are on your network? Do you know who should have access to those devices? And what can those devices actually do? Can you make sure that those devices are deployed securely and maintained in a secure operating fashion?
“A lot of that has to do with patching and vulnerability management,” he explained. “Some of it has to do with the infrastructure that’s around the devices and how often that changes. That’s all fairly basic hygiene, blocking and tackling-type stuff. But given the scale of the amount of things that might show up on someone’s network in the future, that’s a big problem. Just look at the challenges that exist today.
Sadowski believes that there are plenty of companies working in the energy and chemicals sectors that are great examples of how not to embrace IoT.
“These are companies that have industrial controls that are automated. Security on their networks tends to not be very good and it’s security through obscurity in a lot of cases. There’s an assumption that devices have been deployed securely and that companies know who has access to them and what they’re doing with them. But when you go into many organisation they can’t actually answer those very fundamental questions.”
Jeff Carpenter, principal product marketing manager, RSA, agreed that the world is far from prepared for IoT, and is adamant that IoT frameworks must be urgently put in place.
He said: “We already have tens of thousands of manufacturers creating these devices and very few of them are security aware, security optimised or have anything to do with security.
“I’ve even seen security products out there for IoT that have very low security, so go figure. I think what we need is a framework so that you can class IoT devices by certain classifications. For example, a motion detector or a SIM chip that goes with your refrigerator. The framework would create a class of those ‘things’. Then you can manage security by class versus trying to have to manage and address policies for every device on your network.”
However, like many other innovations that are happening in IT, IoT adoption is not something that can be stopped, Sadowski said.
“There’s just so much potential for productivity benefits, cost benefits etc. But people working in security and risk have to get their heads around what the influx of connected devices is going to mean for the security of their company.”
Are you an IoT expert? Take our quiz to find out!
Oracle's huge AI, Cloud investment in Japan will meet growing local demand and address digital…
People who create sexually explicit ‘deepfakes’ of adults will face prosecution under a new law…
Protest at cloud contract with Israel results in staff firings, in addition to layoffs of…
Microsoft warns of Russian influence campaigns have begun targetting upcoming US election, albeit at a…
Microsoft to avoid an EU investigation into its $13 billion investment in OpenAI, after EC…
As President Biden 'considers' request to drop Julian Assange extradition, US provides assurances to prevent…
View Comments
A framework to classify IoT devices is an excellent idea for the reasons mentioned. The problem with all information technology is that many of the decision makers in many organisations do not have sufficient technical knowledge, and don't fully understand the impact of their technology decisions. Deployment of technology based on perceived efficiencies often has a far greater financial cost in the long term due to the complexity and security vulnerabilities introduced. The perceived benefit of IoT within organisations is only going to exacerbate the problem.