The Internet of Things has grown increasingly popular in the business world, and that’s unlikely to change anytime soon. The sheer convenience offered by connected endpoints effectively guarantees this, which is likely a large part of the reason we’re seeing IoT surface in everything from food delivery to the office breakroom. Unfortunately, where cybersecurity is concerned, these smart devices are very often rather stupid.
The lion’s share of IoT devices was not designed with security in mind. Part of this can be traced back to the nature of the consumer IoT market. Where business-to-consumer (B2C) transactions are concerned, security doesn’t move products.
Effective lifecycle management doesn’t generate excitement. Well-designed firmware doesn’t catch the eye of customers. What matters to most end-users isn’t security, but convenience and entertainment.
There’s also the fact that the majority of vendors that now manufacture connected endpoints do not have any background in technology or cybersecurity. They haven’t traditionally needed to pay much attention to either, aside from a bog-standard IT department. That lack of experience becomes glaringly evident when you look at the devices that are actually brought to market.
On the topic of the market, there’s also a pronounced lack of consistency. IoT is a highly competitive field, and more often than not the first company that can bring a feature-rich product to market is the one that dominates. In essence, it creates the perfect storm for a cybersecurity nightmare, compounded by the fact that securing so many different endpoints, each with its own firmware, results in a genuinely baffling chimera of complexity.
The bad news is that you functionally cannot secure every IoT device. While endpoints designed for business use are built to more exacting standards, the stuff your employees are probably bringing into the workplace isn’t. And in case you’re thinking you can restrict the use of smart devices in the workplace, recall how well that worked during the Bring Your Own Device craze of the 2010s.
Instead of protecting the endpoints from being compromised, the key to securing the IoT lies in protecting your network from the endpoints. Let’s examine a few of the best ways to do so.
Air Gap Your Network
The Internet of Things represents one of the largest threat surfaces in history, and its security contains more holes than a piece of swiss cheese. Essentially, this means that devices such as smart lighting or smart thermostats may effectively serve as entry points into your corporate network. Hostile actors are well aware of this.
If you’re lucky, a criminal will simply render an endpoint non-functional or pull it into a botnet. If you aren’t, you’re looking at a data breach in the making. Network segmentation alone isn’t enough to protect you here, either.
Instead, put in the time to create a guest network exclusively for IoT devices, one which is completely separate from your corporate network. This allows your employees to still use smart devices while also keeping your core infrastructure (more or less) safe from the threat they represent. Malware cannot effectively penetrate your network if there’s no path through which it can do so, nor can a criminal exfiltrate data through a coffee machine if it’s on its own isolated network.
Use The Hub and Spoke Method
The most effective configuration for your guest network is something known as the hub and spoke method. Essentially, you’re going to have a single router or network switch that acts as a ‘hub’ for all the smart devices in the office. This hub should be configured so that the devices on the network can only communicate with one another unless they’re specifically given Internet access.
Additionally, we’d advise applying a network monitoring solution to your guest network, so that you can identify and mitigate suspicious traffic or device activity, and strictly control any new connections to your corporate network. After all, even if your IoT devices are air-gapped, that’s no guarantee of safety.
An employee could still carry malware over on their smartphone as they move between the two networks, after all.
Don’t Grow Complacent
There are two essential rules of thumb in cybersecurity.
- It’s never a matter of if a system can be compromised. It’s a matter of when it will be compromised.
- Be willing and able to immediately take any measures necessary to protect your assets, up to and including wiping compromised systems.
This applies equally to IoT devices. Ensure you have the necessary mechanisms in place to quickly wipe and restore any compromised IoT device within the office. Make sure that you also maintain comprehensive backups of every critical asset, such that you can spin up a restored instance of that asset immediately in the event of a cyberattack.
The Internet of Targets
IoT isn’t going anywhere anytime soon. Unfortunately for everyone, that means that there are likely rough days ahead in the cybersecurity space. Focus on finding ways to secure and protect your network now.
Because if you wait for the IoT space to develop and apply a security framework, you might as well open the door for criminals.