Protecting the enterprise from consumer-grade IoT devices

twisted-spiked-wrought-iron-fence

Enterprise IT leaders face many challenges trying to implement Internet of Things (IoT) technology into their networks. But they are challenges that cannot be averted or deferred, for the number of installed IoT devices worldwide is expected to more than triple to 75.4 billion in 2025 from 23.1 in 2018.

In addition to integrating and managing IoT devices — which may number in the thousands for larger enterprises — enterprise IT pros must do their best to ensure these devices are secure. This is no easy task given that many IoT devices are relatively new and untested.

Further, as the Online Trust Alliance (OTA) notes, “‘consumer-grade’ IoT devices such as smart TVs, thermostats, smart speakers, fitness trackers and other devices are now used regularly in enterprises, either purchased by staff or brought in by employees.”

As enterprise IT pros know all too well, consumer devices don’t always include the same level of security features as enterprise devices. OTA says:

While some IoT products are designed with strong security, many have a simple or non-existent user interface, default (or hard-coded) passwords, open hardware and software ports, limited local password protection, lack the ability to be updated, ‘phone home’ frequently, collect more data than expected and use insecure back-end services.

That sounds like a mess o’ security trouble! Indeed, these kinds of security flaws can result in unauthorized access to enterprise networks, surveillance (via audio and video IoT devices) and attacks on enterprise systems and services.

Fortunately, OTA has worked up an excellent checklist of best practices for use of consumer-grade IoT in enterprises (pdf). The list includes 10 items covering the full IoT experience, from installation all the way through the device’s end of life.

OTA cites several “core concepts” that underpin the checklist:

  • Enterprises should be proactive and fully consider the possible risks introduced by these devices.
  • IT leaders should understand that IoT devices are likely more vulnerable than traditional IT devices.
  • It is imperative that enterprises educate users on IoT device risks.
  • A balance must be struck between controlling IoT devices versus creating “shadow IoT.”

That last one typically involves some trial and error. Overall, though, the best practices and core concepts for securing IoT devices in the enterprise should sound familiar to enterprise IT pros who follow security best practices for other aspects of the network such as mobile devices, databases and wireless. It really comes down to awareness, education, planning and follow-through.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: