For the second year, a survey of IT decision-makers by Palo Alto Networks has found that Internet of Things (IoT) cybersecurity practices are lacking and that this is leaving corporate networks exposed to threats created by the presence of non-business IoT devices.
According to the 2021 survey, over half of respondents in the UK (56%) who have IoT devices connected to their organisation’s network reported an increase in non-business IoT devices connecting to corporate networks in the last year. Smart light bulbs, heart rate monitors, connected gym equipment, coffee machines, game consoles and even pet feeders are among the list of the strange devices commonly found on such networks in this year’s study.
According to Greg Day, VP and CSO EMEA, Palo Alto Networks, “The research shows that there will be significant challenges for UK PLC as it manages the digital integration of office and home environments. Visibility is a fundamental part of implementing good IoT security practices and this is clearly something that organisations in the UK need to work on. When you consider that the security controls in consumer IoT devices are minimal, so as not to increase the price, the lack of visibility coupled with increased remote working could lead to serious cybersecurity incidents.”
Seven out of ten UK IT decision-makers (68%) whose organisation has IoT devices connected to its network reported that remote work during the COVID-19 pandemic resulted in an increased risk from unsecured IoT devices on their organisation’s business network. For 42% this increased risk had translated into an increase in the number of IoT security incidents for their organisation as a result of the shift to remote work. The vast majority (93%) of the same group above indicated their organisation’s approach to IoT security needs improvement. However, despite the risks UK respondents were far less likely than their EMEA counterparts to feel that drastic change was needed, with only 4% believing a complete overhaul was needed compared to the EMEA average of 20%. Nonetheless, more than four in ten (44%) recognised that a lot of improvement was needed. The greatest security capability needs were found to be around threat protection (61%), risk assessment (50%) and segmentation (50%).
When it comes to how far along the IoT security journey organisations in the UK are, more than four in ten (44%) IT decision-makers that have IoT devices connected to their network, have made a start by having IoT devices segmented on a separate network from the one that is used for primary devices and business applications (such as HR systems, email servers and finance systems). However, only one in ten (11%) said that IoT devices are micro-segmented within security zones — an industry best practice where organisations create tightly controlled security zones on their networks to isolate IoT devices and keep them separate from IT devices to avoid hackers from moving laterally on a network. A further 42% answered that they either had not begun considering specific IoT security measures or had not segmented devices on a separate network to the one used for primary devices and key business applications.
Day continues, “Organisations need robust IoT security measures to countenance for the potential blind spots brought about by remote working. The low level of micro-segmentation in the UK, combined with the fact that many have IoT devices and critical business applications operating on the same network, gives more cause for concern. Organisations need to be proactive and swift in correcting these issues. Failure to do so will almost certainly see them in the crosshairs of cyber criminals.”
There are other worthwhile steps for mitigating IoT security risk at home and in the enterprise.
Top 3 IoT Security Tips for the Work-from-Home (WFH) Employee
1. Get more familiar with your router. All of your IoT devices likely connect to the internet through your router. Start by changing defaults — the settings every router comes with — to something unique. Then encrypt your network by simply updating your router settings to either WPA3 Personal or WPA2 Personal.
2. Keep track of which devices are connected. You can access your router’s web interface and look for “connected devices,” “wireless clients” or “DHCP clients” to see a list and disconnect older devices you no longer use, and disable remote management on the devices where you don’t need it.
3. Segment the home network. Network segmentation is not only for large corporations. You can segment your home network by creating a guest Wi-Fi network. The easiest way to do this is to have IoT devices use a guest Wi-Fi network, while other devices use the main network. This helps to logically group devices in your home and isolate them from each other. Keeping them on a separate network makes it difficult to get to your computers from a compromised IoT device.
Top 3 IoT Security Tips for the Enterprise
1. Know the unknowns. Get complete visibility into all IoT devices connected to the enterprise. An effective IoT security solution should be able to discover the exact number of devices connected to your network, including the ones you are and are not aware of — and those forgotten. This discovery helps collect an up-to-date inventory of all IoT assets.
2. Conduct continuous monitoring and analysis. Implement a real-time monitoring solution that continuously analyses the behavior of all your network-connected IoT devices to contextually segment your network between your IT and IoT devices — and their workloads. Securing and managing WFH setups as branch extensions of the enterprise requires a new approach.
3. Implement Zero Trust for IoT environments. An IoT security strategy should align with the principle of Zero Trust to enforce policies for least-privileged access control. From there, look for an IoT security solution that leverages your existing firewall investment for comprehensive and integrated security posturing. Running in conjunction with the capabilities of your firewall, the solution should automatically recommend and natively enforce security policies based on the level of risk and the extent of untrusted behavior detected in your IoT devices. Additionally, a point solution can extend a corporate network and bring unified security policy management and SASE (secure access service edge) to WFH employees.