In his article for Security Week, Rafal Los asked an interesting question: Do you have a security policy for the Internet of Things (IoT) gadgets in your office?
We’re familiar with BYOD policies for our smartphones, tablets and laptops. Wouldn’t BYOD security policy cover IoT devices, which technically include smartphones and tablets? The difference, Los pointed out, is that many of our IoT devices are constantly connecting or streaming, and he asked:
How many things are showing up at the office this week that are an always-on conduit to your network from some external third party you really shouldn’t be trusting?
It’s a valid question. According to ISACA’s 2015 IT Risk and Reward Barometer, the vast majority of IT professionals believe that their organization will be breached through some type of connected device, while at the same time, these same IT pros aren’t confident that manufacturers are taking steps to add security to most of these devices.
Here is a good example of the security weaknesses in IoT: Webcams are under close scrutiny right now for potential vulnerabilities. Vectra Threat Labs reported how easy it was to hack into an inexpensive webcam, while the NowSecure blog examined a number of camera-and-app combinations and found that they all had some sort of security flaw.
Gunter Ollmann, CSO of Vectra Networks, told eSecurity Planet this:
The design of many mass-produced consumer-level electronics is very similar. Devices that can be easily attached to the network and remotely controlled or managed via the Internet tend to be soft targets.
Jen Martinson, editor-in-chief with Secure Thoughts, explained to me in an email that while hackers aren’t going to bother to create malware on devices that have a limited shelf life (and there do seem to be more than a few IoT devices that are a flash in the pan), there is a struggle to find or create security tools for IoT for two reasons. She continued:
The first is that the IoT is highly diverse, making it is nearly impossible to create a security solution that will be able to affect the entire market (or even a sector). It might be possible to improve the security of our networks, but that is an entirely different problem.
The other struggle is that the technology behind the IoT is still evolving. Until we have a more uniform system behind it, the IoT will remain difficult to secure.
So, have you considered an IoT security policy, separate from your BYOD policy? It may be time to evaluate your need for one.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba