The power of the Internet of Things (IoT) resides in its ability to bring together disparate operational and information technologies in novel and exciting ways. Networked systems and connected devices generate vast troves of data that power insights and innovations scarcely imagined just a few years ago.
As with many emerging technologies, however, IoT's biggest benefits also reveal some of its greatest challenges. Today's IoT environments pack impressive processing power into previously inert sensors, feeding networked systems with hooks into an organization's most critical data stores and legacy IT infrastructure. It's part blessing, part curse.
According to Bain & Company, the market for IoT products and services will top $520 billion in 2021, twice the amount spent in 2017. The firm found that many organizations are holding back on IoT initiatives out of basic concerns about IoT security risks such as lack of data confidentiality and system resilience.
In the drive to capitalize on the obvious opportunity in IoT solutions and services, it's important for you to also consider the security ramifications in a space where product development often outpaces the risk management controls needed to rein it in.
Solution providers can bake security into every IoT proposal and client deployment by following these four IoT security recommendations:
1. It starts with awareness
Asset inventories are difficult enough in conventional IT environments. When it comes to IoT, which can include a wide array of sensors, actuators, system and building control devices, and more, the challenge increases exponentially. Solution providers leveraging NIST Cybersecurity Framework can focus efforts by using NIST’s function to catalog all of a client's hardware and software to develop a detailed inventory and establish an IT asset-management program that covers just about everything with an IP address or a URL that’s connected to the network.
Because network- and internet-accessible IoT devices receive, process, and store sensitive data, controlling access and behavior is a must. But that can be accomplished only if the solution provider knows about the devices in the first place.
2. Test for new vulnerabilities
IoT environments are unlike typical IT networks and systems in several key ways. The devices employed in an IoT setting often lack basic security controls, are far less resilient in testing than traditional hosts and can be resistant to normal patching and updating routines.
This means new methods for vulnerability testing and risk mitigation are a must. The OWASP Internet of Things Project offers excellent guidance for understanding the IoT attack surface, developing meaningful testing protocols and establishing effective controls for issues such as weak authentication, update mechanisms, insufficient privacy protections and more.
3. One policy to rule them all
Getting IoT systems in line with existing security policies can be a challenge in itself. While the customer likely has IT requirements in place for access controls, acceptable use, logging, patching, updating, backup, incident response and more, there's a good chance that newly deployed IoT devices won’t be able to fully support such policies.
A thorough review of security standards often require a new set of policies to integrate the IoT environment into the security plan and governance program in a way that maintains alignment with the client's overall risk-management strategy and regulatory responsibilities.
4. Vendor selection and accountability are key
Much of the onus for protecting the customer’s IoT environment lies with you, the solution provider. One obstacle to that effort, however, is the difficulty in determining the true security posture of many IoT devices—knowing exactly what these connected and embedded systems are capable of doing on the network and how they can be appropriately patched when vulnerabilities inevitably arise.
Not all vendors are equally forthcoming about the development issues and maintenance requirements. Sticking with those that provide a well-documented security roadmap is a good first step. Beyond that, it’s critical to hold vendors accountable for the way their IoT devices handle access to and storage of sensitive data and their methods for keeping those systems updated and secure. Standards bodies such as the aforementioned NIST, as well as the Institute of Electrical and Electronics Engineers (IEEE), offer excellent guidance for vendor documentation and management of IoT security posture now and into the future.
Delivering adequate security measures to safeguard connected devices and networked environments is vital to the success and profitability of an IoT practice. According to Bain research 42% of business decision-makers list concerns about IoT security risks as a top barrier to adoption. The same group indicated they’d spend 22% more, on average, if their security concerns were addressed.
Following the above IoT security recommendations and building them into every IoT proposal can really improve your chances for success at making the sale. It shows you know your business and understand some of the concerns of reluctant customers.
To learn more about IoT security risks and how Ingram Micro can help you realize the potential of IoT, contact us at firstname.lastname@example.org
View Virtual Events