Why the Internet of Things (IoT) is a Risk to Your Organization

The Internet of Things (IoT) is the connectivity and networking of devices and other items with network connectivity capability. This network connectivity allows the devices (things) to collect, transmit, analyze, and exchange data. The devices include hardware, software, data, and service and can be controlled and managed remotely across an existing network infrastructure.

There are three main sectors of use of IoT devices, enterprise, home, and government, with the Enterprise Internet of Things being the largest. Complex distributed computing and applications will result in a large number of devices connected to the Internet. The ability to connect devices with CPU, memory, and processing capabilities are a risk to your organization as these devices can perform actions, not just sense activity and actions.

A variety of communication technologies can be used to connect to devices to networks. These include Wi-Fi, Wi-Fi Direct (peer to peer without the need for a wireless access point), Bluetooth low energy, Light-Fidelity (uses light), wired Ethernet, and other technologies.

Internet of Things Risks

Many organizations adopt IoT devices without fully recognizing privacy issues, risks involved, security challenges, and regulatory requirements. Traditional security concepts (e.g. vulnerability management, patch management, change management, etc.) that apply to network infrastructures are not sufficient and need additional controls when implementing IoT devices.

To keep costs down, many IoT manufacturers do not embed enhanced security features in their devices.  As such, they may be subject to attacks on the device or the devices themselves could be used to launch attacks on other devices or the network.

IoT risks include:

• Denial of Service (DoS) - devices can be used to launch denial of service attacks against the network.
• Hardened - devices must be hardened and security defaults reviewed/changed prior to installation.
• Management - devices must be managed similar to other network components.
• Obsolescence - with the rapid pace of technological change, devices may need to be replaced/upgraded on a regular basis.

Action Plan

Organizations should first prepare a formal Risk Assessment, Risk Analysis, and Risk Treatment Plan for IoT devices. Knowing the risks allows the organization to identify preventive, detective, and corrective security controls that mitigate or reduce risks to acceptable levels. The Risk Assessment also helps the organization implement defense in depth with layers of security instead of single points of failure.

Full disclosure is important and users should be aware of any data sharing that occurs.  In addition, in the event of a security breach, the organization must inform the individuals if their personally identifiable information (PII) is compromised.

Organizations should collect a minimum amount of user data required.  In addition, the data should only be retained for the time period required by the organization.

Formal and documented policies ensure a top down approach to managing risks.