By, Mitchell Muro, Product Marketing Manager
IoT, the internet of things, is everywhere, including inside your enterprise environment. And that’s a very good thing. IoT has been a blessing for enterprises: It can make employees more productive and enable crucial business processes to run more smoothly, intuitively, and efficiently.
Yet the same technology also makes your enterprise more vulnerable in many ways. Take Verkada, the IoT building-security startup that was hacked in 2021, exposing footage from over 150,000 connected surveillance cameras belonging to 95 customers.
This post will explore the most common use cases for IoT in the enterprise, along with some of the biggest vulnerabilities it creates. We’ll then explore three ways you can keep your IoT-connected enterprise productive while staying safe from threats.
The Vast Range of Enterprise IoT
At this point in the game, it’s impossible to imagine giving up IoT, as it’s become a must in every enterprise environment. Most IoT technology in an enterprise setting falls into one or more of three categories:
- Smart-building technology: Elevators, thermostats, HVAC systems, smart-lighting hubs
- Smart office technology: Badge readers, cameras, routers
- Smart business technology: Conferencing equipment, smart TVs, smart boards, virtual assistants like Alexa
While these devices are certainly useful, they also create weaknesses in your carefully planned network security.
For example, in the Verkada breach, the hacked surveillance cameras gave the attackers inside views of facilities including prisons, schools, companies, and even car manufacturer Tesla. Verkada had previously claimed its systems were “virtually unhackable,” yet investigations after the fact revealed a lax, unprofessional corporate culture that should have raised some red flags.
The Verkada breach is nothing unique; in fact, too many situations like this have recently come to light. The important message here is that you need to understand the innate flaws in IoT security so that you can take steps to protect your own enterprise’s sensitive data.
Why IoT Is Innately Vulnerable
As the Verkada incident highlighted, IoT devices come with a few intrinsic flaws that make them unacceptable as a security risk:
- Lack of standardization creates a hodgepodge of devices
- Weak security approach, including flimsy or nonexistent passwords
- Outdated and unpatchable architecture, firmware, software
- Larger number of devices expands the attack surface and opens up the possibility of a botnet campaign
As a result, it’s all too easy for hackers to gain access to these devices and either wreak havoc with the IoT devices themselves or move laterally to harm mission-critical systems and steal the personally identifiable information (PII) of customers or employees, intellectual property, or other assets. Hackers may also gain control over the network and hold it for ransom. And their latest trick? Combining these strategies in double extortion attacks that promise even more lucrative payoffs.
In general, vendors build and sell IoT solutions based on functionality and ease of use, often rushing products to market to beat the competition—without looking at the security big picture.
Originally, they may have assumed hackers wouldn’t bother with these “inconsequential” devices—but it’s clear today that there’s big money in ransomware and the sale of enterprise IP, both nightmare scenarios for most enterprises.
We’re not saying you have to stop using IoT in your enterprise. It’s too late for that, and besides, you don’t want to lose the benefits. Instead, let’s look at three simple ways to boost your enterprise’s IoT security.
How to Properly Secure IoT Devices
As we’ve seen, IoT can be a weak link in your security. But that doesn’t have to be the case. Once you’re aware of the many issues surrounding IoT security, it can help to begin with a free IoT security checkup and assessment report, which easily detects and identifies devices connected to your network and analyzes their associated risk. This way, you can start mapping out your enterprise’s top priorities when it comes to preventing attacks.
Beyond this, here are three best practices to follow to defend your organization against attacks initiated through or by taking advantage of compromised IoT devices:
1. Smarten Up Your Passwords
Most organizations use the weak default passwords that come with their IoT devices. That’s not laziness; it’s often hard to change the passwords both because of the sheer number of IoT devices you have to manage and because the interface is usually unclear or hard to use. Ideally, each device should have its own secure password so that even if an intruder gains access to a single device, their potential to do damage is reduced.
Buying Tip: When investing in new IoT devices, make sure it will be easy to change passwords from time to time.
2. Apply All Possible Patches
IoT hardware comes and goes quickly. That leaves an uneven patching landscape in which manufacturers may go out of business or devices may reach end-of-life quickly. A software or firmware patch may be available for certain devices, especially now that a few high-profile IoT-based attacks have made the news and some manufacturers are smartening up and releasing patches.
Buying Tip: When choosing new IoT devices, ensure that the manufacturer has built in a reasonably easy-to-implement patch capability.
3. Move Toward Zero Trust
Many organizations today are moving toward a “zero-trust” model centered on the principl, “Never trust. Always verify.” In this model, each user is verified before being given access based on the principle of “least privilege,” i.e., only for legitimate business purposes. This can prevent lateral attacks even if an intruder breaches your network. Network segmentation is another way to block untrusted users from moving laterally through your organization.
Buying Tip: For all new IoT devices, make sure you choose products that can support a zero-trust network architecture.
Toward Better, Tighter Standards
It’s no secret that most IoT devices represent security breaches just waiting to happen. And the landscape is changing. In December 2020, the U.S. passed the IoT Cybersecurity Improvement Act demanding better, tighter standards for IoT devices. This is an important step, acknowledging the serious threat these devices pose.
However, even important legislative actions like these are too late for most enterprises, as they are already using IoT from unregulated vendors. They may not even be aware of what IoT devices are in their environment.
Obviously, when you’re buying new devices, it’s essential to choose vendors you trust and that are known for putting security first. When it comes to the devices you already have, it’s not too late to secure them. Check Point’s Quantum IoT Protect helps you manage and secure your IoT devices in a few ways:
- Use of automated discovery to know exactly what’s on your network and why it’s there
- Blocking unauthorized access with zero-trust segmentation
- Staying aware of top-priority issues with virtual patching and up-to-date threat intelligence
Quantum IoT Protect lets you keep using the IoT devices your enterprise needs for productivity while closing the IoT security gap. Start with a free security assessment and see how simple it is to stay secure in the age of IoT.