According to Gartner, 32% of IT leaders say security risk is the biggest barrier to IoT adoption.
It’s a statistic that makes me laugh.
Does anyone believe that employees will not adopt IoT because of risk? Most are completely oblivious to it. Others care more about their convenience that your security.
IoT is not in the control of IT leaders or security teams – the horse has already bolted.
Suddenly, security and IT not only have to cope with bring-your-own-device (BYOD) and the risk that brings, but with employees bringing a far wider range of connected objects into the workplace, and purchasing objects without understanding that the device brings risk. These devices can easily be bought and connected to office networks without the IT team being any the wiser.
Take the office manager who buys a new coffee machine for the kitchen at work. Does he or she know that the device is now a potential security risk? Does he or she know to log the device with IT, get it assessed and secured? Of course not. It’s from these smaller, lower profile objects that the biggest risks will come. IT may be able to secure critical connected devices and longer-term objects, but what about the connected coat of a contractor? Will they expect workers either to be disconnected from the WiFi or stripped of all their objects before they enter the building?
The attack surface is not just getting bigger, it’s becoming more dynamic and more diverse.
In verticals such as healthcare, there is a major threat to life and limb – with wearables and monitors, HVAC, fridges and even internet-connected body parts. But healthcare has also had longer to adapt than most verticals. They have learnt that such devices are not built with security in mind. They’re not smart enough to take antivirus software, often can’t be patched, and may not have an operating system. The sheer diversity of devices means that while IT can manage a large proportion in the traditional way – with specific and enforceable policies – some IoT devices cannot be managed like this.
Enterprises are therefore adopting dynamic inventory and network access control tools that enable them to identify and track devices that are connected to their network, and restrict and control what these devices can access. But they also need to remove the barriers and boundaries within the enterprise, which currently create unknown vulnerabilities like that connected coffee machine.
One solution to the problem is to use network segmentation, meaning that non-approved devices cannot access secure networks and systems within the enterprise or that traffic from these objects is kept separate.
For B2B service providers there are opportunities to assist with network segmentation and network-level security. They can also become resellers of expertise and software to smaller businesses that do not have this type of expertise in-house.
At a more strategic level there is an opportunity to work with object manufacturers to provide connectivity and security to families of connected devices and ecosystems of suppliers.
Take that connected coffee machine. It might be offered on an as-a-service basis. Thus the machine supplier is responsible for ensuring the machine doesn’t break down and has to take responsibility for firmware or software upgrades, monitor performance and book technician visits to descale, clean or mend the machine. But equally the coffee supplier will need to ensure that the company doesn’t run out of coffee stocks. It might get clever and get employees to rate various types of coffee so that they supply the types favoured by those employees. Such a value web is potentially lucrative to support and enable, but it has little to do with the enterprise actually hosting the coffee machine itself. It’s unlikely that the device manufacturer wishes to run such an ecosystem – they just want to benefit from it. This provides opportunities for savvy B2B operators that can identify, enable and monetise such ecosystems.