There were 9 billion Internet of Things (IoT) units installed at the end of 2013 by IDC’s count, and its analysts expect the figure to hit 28 billion by 2020.
That’s going to make life difficult for IT security administrators.
A Tripwire survey found that employed consumers who took work home had an average of 11 IoT devices on their home networks, and 24 percent of them had connected at least one of these devices to their enterprise network.
The survey covered 404 IT professionals and 302 executives from retail, energy, and financial services organizations in the United States and the UK.
Furthermore, 63 percent of the respondents expect they’ll be forced to adopt IoT devices despite the security risks to ensure business efficiency and productivity, and 43 percent say the risks associated with the IoT could be the most significant risk on their network.
The survey did not include smartphones, tablets or laptops; but instead included printers, 3D printers, scanners, routers, firewalls, modems, gaming consoles, wearable devices including smartwatches, smart appliances, smart utility meters, VoIP phones, and controllers for lighting, heating, ventilation and air conditioning.
“We deliberately chose several smart devices that are already included in home and enterprise networks,” Tripwire spokesperson Shelley Boose told TechNewsWorld. These are “common devices that use machine-to-machine communication.”
Firewalls, routers and modems come with security features built in “but many of these aren’t used or aren’t used correctly,” Boose continued. “Often the default password is still in place and services that aren’t used are active. These things are routinely exploited by cybercriminals.”
Managers constituted about 26 percent of the respondents; directors, vice presidents, or C-level executives another 15 percent; sales 11 percent; tech specialists 10 percent; operations 9 percent; and scientists or engineers nearly 6 percent.
Many of the devices in the respondents’ homes can be controlled with a mobile app.
“One of the key takeaways from this study is that, even though respondents didn’t expect IoT risks to be significant, these risks are already present on their networks with common devices,” Boose said. “If we aren’t mitigating these risks, it’s easy to see the danger associated with less common devices like smart controls for HVAC and lighting, wearables and smart meters.”
Company employees “routinely” use smartphones and tablets on untrusted networks, Tripwire security researcher Craig Young pointed out.
“The risk of cross contamination from home networks can be very serious unless security controls are enforced,” Young told TechNewsWorld. “Most people assume that virtual private networks solve all remote connection problems, but this is not true.”
The BYOD Threat
Wearables and mobile devices introduce major security risks within the enterprise through their use of apps, Maureen Polte, VP of product management at Flexera Software, told TechNewsWorld.
Mobile OSes “include APIs (application programming interfaces) that mobile apps can leverage to access information on mobile and wearable devices,” Polte explained.
That information could include contact lists, photos and calendar items which may be sensitive information for organizations.
“Mobile apps can access any corporate social media accounts that they’ve been configured to access, and many include undocumented features that could be used for malicious purposes,” said Polte.
For example, Zentertain’s “Flashlight” app accesses telephony and SMS features, location tracking, and the device’s address book and calendar — and that data “may then be sent to third parties,” Polte stated.
Enterprises “begin to analyze mobile apps and start building institutional knowledge around how mobile apps behave” as they prepare mobile applications for delivery, she suggested.
Commitment to Security
The always-on connectivity of wearables and IoT devices means they can easily be tampered with on a home network or on public WiFi networks, and then used to deliver malware once connected to the office network, Jim Reno, chief security architect at CA Technologies, told TechNewsWorld.
They “need to be treated as any computer or smartphone that needs to be secured,” recommended Reno.
“The same security policies should apply and organizations need to take all the practical security measures of intrusion detection, data protection, [and] monitoring of internal systems and access controls, to name a few,” he said.