The Internet of Things – IoT – is escalating the risk of both malicious and unintentional attacks on businesses as an increasing number of devices are connected to company networks.
The risk of attack now extends to anyone plugging any device into a company’s network. Together with the risk faced by shadow IT, businesses are unsure how to best protect their network.
The current IoT risk exacerbates the existing challenge posed by bring your own device (BYOD) policies. Business leaders and IT managers are still struggling to manage employees’ desire to use their personal devices, including laptops and mobile phones, without control over the hardware or software installed, and limited password protection to safeguard valuable company information. IT teams struggle to offer the same level of protection across the many different devices plugged into the network.
Numerous IoT devices may be unnecessarily implemented by businesses who do not have a true understanding of security, introducing vulnerabilities for malicious attacks. For example, we recently had a customer whose point of sale system was attacked and customer credit card details were stolen. The hacker was able to gain access through the air conditioning system, which was connected to the network for monitoring purposes.
Businesses must be cautious of any device connected to their network that is not considered a corporate device. For example, wearable technology such as watches and fitness trackers, plus CCTV, programmable logic controllers (PLC), and operational technology (OT) can all post a potential security risk if not properly secured.
To protect the network, businesses should implement a policy of nominated individuals who must approve how, when, and what technology can be plugged into the network. Employees must be frequently reminded of this policy.
It’s important for employees to understand that every device connected to the network has the potential to bring the company into disrepute by introducing risk and allowing hackers into the environment.
Businesses must constantly be on the lookout for anything that may be vulnerable and for new technologies to implement to ensure the company is protected against IoT connectivity hackers.
A business should have policies and procedures in place to cope with breaches regardless of the source. They should follow an internal threat management process to mitigate the risk and ensure it doesn’t happen again.
Mark Blower, National Business Manager – Networks and Security, Empired
