The Internet of Things (IoT) is transforming the way that businesses connect with employees and consumers. Now, IoT devices feature sensors that make it easy for companies to collect massive amounts of data. IoT devices also communicate with one another, and as such, often help companies track real-time insights that they can use to improve their everyday operations.
William Malik, Vice President of Infrastructure Strategies at Trend Micro, discussed IoT and the security challenges associated with it during his presentation to Argyle’s CISO membership at the 2018 Information Security Leadership Forum in Atlanta on April 5. In his presentation, “Securing Generations of IoT,” Malik provided IoT security tips for information security professionals.
As more companies search for ways to differentiate themselves from the competition, businesses across all industries may integrate IoT devices into their day-to-day activities. However, IoT security is a problem for many businesses. Ransomware, malware and other rapidly evolving security vulnerabilities can infect IoT devices at any time. And when an infection occurs, it may extend across a business’ entire network. As such, even a single IoT device vulnerability can cause long-lasting problems for a company, its customers and its employees.
How a company evaluates IoT security may have far-flung effects. If a business devotes significant time and resources to deploy security tools across its IoT devices, it may be better equipped than others to limit risk. On the other hand, a company that merely focuses on integrating IoT devices across its workforce as quickly as possible may struggle to identify and resolve security vulnerabilities before they escalate.
“When you think of an IoT device, think of something that is a long way away that you’re not going to be able to do much maintenance on,” Malik indicated. “[An IoT device] is a remote device … that needs to be available, reliable and safe.”
In certain instances, keeping corporate device software up to date is problematic. Some corporate devices are equipped with software that was deployed in the 1990s but is unlikely to be updated any time soon. In these cases, businesses risk falling victim to advanced cyberattacks.
“There are devices that were deployed in 1995 that will still be running in 2035,” Malik stated. “These devices cannot be updated … but information security has an entirely different mandate.”
Businesses must maintain flexibility relative to IoT security. The IoT will continue to evolve, and a company must be ready to adapt accordingly. Otherwise, a company that remains complacent is unlikely to keep pace with new cyber threats.
Furthermore, companies must have processes in place to ensure that IoT device security tools are updated regularly. If a company develops an IoT security strategy and updates this plan regularly, it can stay ahead of cyberattacks. Best of all, this business can protect its IoT devices against cyberattacks and reduce or eliminate the time and costs associated with data breaches.
Businesses also must consider how they can integrate security updates into IoT devices. With a plan in place to upgrade IoT device security software, companies can limit the risk of downtime due to software updates.
“You cannot interrupt the system to download any virus updates. You cannot put real-time machine learning into the middle of an industrial control system. Now, it has to work without disruption,” Malik said.
Information security professionals are responsible for safeguarding a company’s sensitive data across all devices, at all times. If information security professionals learn about all aspects of the IoT, they may be able to discover innovative ways to protect a business’ critical information. Plus, information security professionals can take the necessary steps to secure a company’s sensitive information on IoT devices and ensure end users can reap the full benefits of these devices day after day.
Additionally, information security professionals must develop best practices for IoT security and share these practices across all business departments. If employees at all levels of a business understand how to secure a company’s critical information, they can minimize the risk of IoT device infections.
Information security professionals must monitor IoT device security every day. By performing IoT security monitoring and creating IoT security reports, information security professionals can gain the insights they need to deliver consistent IoT device protection. As a result, these professionals can determine the best ways to help a company avoid IoT security dangers both now and in the future.
“You can inventory your IoT [devices], take a look at your networks, categorize your assets and update weak devices,” Malik stated. “Get out in front. Be aware. Do monitoring … and you’ll be able to figure out how to get through [IoT security].”