When it comes to IT acronyms and technical jargon fly fast and free. We’re always looking for a new way to name things, it seems. Shadow IT. Shadow Data. IoT. Shadow IoT. Security of Things. The desire for clarity through naming conventions can overshadow the message. When it comes down to it, most of the conversations are actually the same. It’s about data security. And it’s also about reputation management. So, let’s try to strip back the jargon around IoT and truly understand what is happening.
Understanding the Risks of IoT
Daniel Messier wrote for Dark Reading, “you can’t defend against something you don’t understand,” noting that with the vague promises of the Internet of Things come many risks, many of which have no way to be mitigated. In its infancy, many of these “things” are coming to market quickly with major design flaws and no way to remotely update them. Yes, the onus is on IoT device manufacturers to deliver a secure platform, but we’re not there yet, so how do you respond now? Third party oversight just doesn’t exist yet for the sheer variety of “things.”
Some have responded the risk of IoT devices, whether that’s compromised or hijacked devices or compromised data, by isolating these systems. However, isolating IoT systems from business systems does not erase the risks that these devices could still be used to attack others, as we’ve seen with the stories around hacked cameras being used in a massive botnet attack. This can result in costly damage to your corporate reputation.
To put it mathematically, the number of IoT devices being deployed multiplied by the insecurity of those devices multiplied by how hard it is to update them equals some idea of part of the risk that will be presented by IoT devices.
Although the Dark Reading article talks about ways to secure IoT devices, the advice only pertains to the IoT devices you know about. The current trends toward decentralized IT purchases, both at the business unit and employee-level, suggest that most IoT use cases will be in the “Shadow,” they won’t be approved or managed by IT. It may be, as Daniel suggests, that prevention is somewhat futile and we should focus on reducing the impact of IoT events.
Monika Brink suggests that “unless the security side of IoT is sorted out, it could hold back wider adoption of the technology,” and we agree. Sort of. We think a lack of a strong security footprint will hold back official corporate deployment of IoT systems, but it’s not going to slow down what’s happening at the business and employee-level.
The number of IoT devices is expected to reach 50 billion by 2020. Although many of the same technologies and procedures we use for addressing the risks associated with BYOD devices or the Cloud can and should be applied to the IoT, whether that’s role-based access control, encryption, malware prevention or visibility technologies, IoT security is going to remain elusive for a long time.
Do we have the answers for you. No. But we will keep talking about it. Absolute has long been a leader in conversations about data security and we will continue to offer our insights and thought leadership on the evolving technology landscape as it pertains to data security.
How is your organization tackling IoT?