Not only are your customers’ IoT devices more vulnerable to tampering than traditional IT assets, many of these devices are designed with minimal protection.
Security concerns around the Internet of Things (IoT) seems to have caused some confusion in the market. Companies that over-estimate IoT threats have slowed progress on related initiatives, while other companies have deployed connected devices with little concern or awareness of the vulnerabilities.
IoT presents some new and unique security challenges that will make it more complex than standard IT security. As a result, IoT has to be part of any data security conversation MSPs have with their clients.
IoT Challenges and Vulnerabilities
IoT will create thousands of new nodes on the network. Whether these are connected devices your customers are using internally or equipment they’ve deployed at their own customers’ locations, IoT-enabled assets can create new vulnerabilities and a high number of potential failure points when it comes to data protection.
Unlike other IT assets, IoT devices may be exposed in an open environment (leaving them vulnerable to tampering). There are a wide variety of connected devices, each with different levels of available onboard security and processing power. These devices also bridge both information and operational systems.
Another complicating factor is many devices that are now joining the network were never designed to support high-level security features. Some lower-cost connected devices have, in fact, been designed with minimal protection in order to decrease costs. Many devices ship with preset standard passwords, for example, and no easy way to alter them.
That was part of the problem last year when hundreds of thousands of Chinese-made wireless cameras were infected by Persirai malware. Similar Mirai malware infected IoT devices like DVRs, Internet routers, and CCTV cameras.
IoT Best Practices
As such, it will be important to keep the following best practices top of mind to ensure that you and your clients are on the same page when it comes to IoT exposure:
Communicate with your customers about IoT security. They may be utilizing connected equipment, unaware of the potential risks. Explain clearly why both the devices and data should be protected, and provide best practices recommendations for securing their applications.
Make sure IoT devices are properly configured. Many connected devices that have found their way into enterprise installations are still operating with default security settings. Your clients should conduct a complete device audit to make sure these devices are protected sufficiently.
In larger organizations, that may also mean ferreting out any small IoT pilots that may be flying under the radar of the IT department.
Include IoT devices in ongoing monitoring and maintenance programs. A larger universe of devices and equipment will require regular security patches and surveillance.
Identify what data is collected, why it is being collected, and whether it falls into any compliance areas. IoT devices can create a lot of data, much of it personal. Conduct a risk assessment with clients to make sure they know what’s being collected, whether all of that data is necessary, and how much of it may be affected by industry regulations.
In the case of some third-party equipment, the device manufacturer may also stake some claim to the data being collected. Make sure your customers understand who can access the IoT data, and whether that involves any rights to monetize the data in some fashion.
Understand challenges posed by the amount of data. Do you and your clients have the infrastructure in place to securely store and manage the large influx of data these devices represent? Where will that capability reside — on premises with you or the customer, or in the cloud? The IoT will also require the deployment of a large number of IoT gateways to provide data processing at the network edge. That infrastructure will similarly need protection.
Each IoT deployment will look different depending on the use case. For example, connected medical devices obviously present a different threat level than connected vending machines. Making sure the IoT is a central part of the data security discussion, regardless of the application, will be critical in reducing risk as more devices come online.
Chris Crellin is Senior Director of Product Management for Barracuda MSP, a provider of security and data protection solutions for managed services providers, where he is responsible for leading product strategy and management.