In 2020, the Internet of Things (IoT) achieved a new, unprecedented milestone. During the year, there were more IoT connections, such as smart cars, devices, and factories, than non-IoT devices like smartphones, laptops, or computers. The coming years will be even better for IoT. By 2025, there could be almost 31 billion connected IoT devices compared to just over 10 billion non-IoT devices. IoT empowers businesses to create and deliver greater value than ever before. This explains the increasing popularity and ubiquity of IoT.
But at the same time, the constant connectivity and data-sharing that epitomize IoT also increase the risk of cyber-attacks and information compromise. In fact, IoT devices now make up 33% of infected devices, up from 16% in 2019 – indicating that attacks against such devices are already increasing.
To get the best ROI from IoT while minimizing its cybersecurity risks, organizations must follow the 5 best practices discussed below.
1. Understand the IoT Attack Surface
The IoT value chain includes numerous elements:
• The edge or local plane (the “things” in IoT)
• The communications network that connects the physical and digital worlds
• The cloud plane that collects and processes data, and creates value from it
The broad nature of this value chain and the complexities involved in managing a distributed environment of connected IoT devices increases the risk of cyberattacks. That’s why organizations must understand the IoT attack surface, particularly from the perspective of IoT devices, which are usually the weakest link in the IoT security chain.
Understanding the attack surface could start with device inventory. By taking stock of each connected device deployed across the business, the organization can get a better handle on the associated risks. Regular and real-time attack surface scans can help validate the IoT footprint, and recognize the potential cyber risk exposure of each device. This knowledge can go a long way towards risk assessment, mitigation, and elimination. Finally, devices must be regularly patched to keep up with emerging cyber threats and minimize the risk of attack.
2. Adopt an Integrated Risk Philosophy
IoT ecosystems are hyper-connected and unbelievably complex, consisting of enterprise IP networks, cloud services, carrier/network access, product developers, system integrators, hardware manufacturers, and more. This enables threat actors to leverage numerous connection points to compromise these ecosystems, launch large-scale attacks, disrupt operations, and steal sensitive data.
IoT connects enterprises and their operations in myriad different ways. Moreover, it generates and collects data on a massive scale, much of it involving third parties. In this landscape, a “decentralized” approach to IoT cyber risk where risk differs by region, product, business unit, etc. is not suitable. Safeguarding this ecosystem requires a comprehensive, integrated IoT cybersecurity program.
IoT cyber risk must be assessed at every level of the organization, all the way from pre-threat to post-event. The program must focus on anticipating and preventing IoT-related threats, neutralizing identified threats, and restoring normal operations as soon as possible. It’s also vital to continuously monitor each IoT device – either via security audits or by leveraging solutions for security ratings – to find security gaps, identify suspicious behaviors, and ensure that risk remains at an acceptable level.
3. Implement Robust Data Governance
IoT offers more possibilities to create value, due to its potential to generate lots of useful data. This includes data from IoT devices and inventory records, access data, data from industrial control systems, facial recognition data, and much more. But to make the best possible use of this data, data governance is essential.
Here, it’s important to strike the right balance between governance controls that are too tight versus controls that are too lax. Tight controls can arrest the momentum of innovation, and even stall it all together. On the other hand, if oversight is too loose, it exposes the organization to all kinds of cyber risks.
One way to achieve this balance is by establishing a baseline of “normal” data activity, and then monitoring all data activities against this baseline. This can help identify any deviations or anomalous behaviors, which can then be reviewed to eliminate data-related risks.
4. Assess and Address Retrofitting Risks
Many organizations understandably aim to implement new IoT solutions on top of existing legacy systems. But since IoT introduces more points of communication, and expands the attack surface, these legacy systems become increasingly vulnerable to cyber-attacks.
But this does not mean that organizations should not consider retrofitting. However, what they should do is be more aware of the risks arising from retrofitting, and assess these risks in order to effectively manage and mitigate them. It’s also useful to deploy loosely-coupled IoT systems so that the failure of one device doesn’t lead to widespread failure, or impact business operations on a broad scale.
5. Identify and Mitigate Third-party IoT Cybersecurity Risk
To mitigate IoT cybersecurity risk, it’s essential to use base solutions that are secure by design. When devices incorporate cybersecurity considerations right from the beginning, there are likely to be fewer flaws that may compromise security later on.
But with IoT, security by design does not always happen. Moreover, there are no established cybersecurity standards among third-party vendors, which makes it even harder to ensure the security of IoT devices. Another issue is that senior business leaders don’t always understand IoT risk, particularly the risk introduced by third parties. This is why it’s crucial to develop a robust third-party risk management program.
Organizations must better understand the security posture of all IoT vendors, assess their security practices, and ensure that their IoT components are secure by design before they are added to the organization’s IoT ecosystem.
In the past few years, the Internet of Things has evolved at a dizzying pace. While IoT creates immense opportunities for technological innovation, business growth, and societal progress – it also creates numerous cybersecurity risks and threats that could prevent such goals from being realized. But by following the 5 best practices explored here, organizations can minimize the risk and maximize the value of IoT.