From sensors on the factory floor to those that guide autonomous vehicles, the Internet of Things (IoT) is transforming how we live and work. Over the coming years, IoT will continue to change our world, with the number of connected devices expected to grow from 13.8 billion units in 2021 to 30.9 billion by 2025.
But for security teams, it can seem like the Wild West out there. As more and more IoT devices connect to the corporate network, understanding and mitigating the risk they pose is an arduous task. It’s no surprise that attacks against IoT devices are rising at an alarming rate. And while a newly proposed IoT rating system could go a long way toward mitigating this risk, it will not be a silver bullet.
Here are some best practices you can follow to step up your IoT cybersecurity and tame the Wild West.
Understand your IoT attack surface
The first step to securing internet-connected devices is getting a handle on the IoT devices in your digital ecosystem. That goes for the smart refrigerator in the breakroom to the IoT technology your organization uses to track assets. After all, you can’t secure what you can’t see.
One way to gain visibility into your IoT network is to take stock of each connected device deployed across your business. This isn’t always easy, especially if your organization has an extensive network infrastructure or has acquired or installed IoT devices without the oversight of IT. In addition, since these inventory audits are a one-and-done approach they don’t account for new devices as they come online.
A better way to understand and manage IoT cyber risk is to conduct an attack surface scan. Performed in real-time as needed, attack surface monitoring can quickly validate your IoT footprint. The scan will also assess each device for cyber risk exposure so you can make informed, comparative decisions about where to prioritize your cybersecurity efforts.
For instance, if a healthcare system has 50,000 devices across five locations, the scan will display all devices and identify, by location, those with security vulnerabilities or malware infections. It will also visualize which assets have the highest risk exposure. With these insights, teams can pinpoint the location of potential vulnerabilities and focus security resources on those devices that are essential to the continuity of operations or contain a vast amount of sensitive data.
Implement continuous monitoring of IoT cybersecurity
Because risk is constantly emerging, you need to monitor each IoT device for security gaps and suspicious behavior on an ongoing basis.
To do this, you would traditionally conduct intermittent security audits. But these can be costly and time-consuming and only capture a point-in-time view of the security posture of your organization’s IoT investments. These assessments are also hard to scale cost-effectively.
For this reason, more organizations are turning to continuous monitoring solutions like security ratings.
Security ratings are a data-driven measurement of the security performance of each asset in your organization’s IT portfolio, including IoT devices. Derived from objective, verifiable information, ratings help assess risk and the likelihood of a data breach based on externally observable risk factors – such as open ports, misconfigured software, compromised systems, exposed credentials, and weak security controls.
Findings are presented as a numerical score between 250 to 900 – with a higher rating equating to a stronger security performance – making it easy for everyone to understand your organization’s ability to withstand IoT-based cyberattacks. And because security ratings are captured continuously, in near real-time, security teams can quickly mobilize to mitigate risk before it’s exploited by a bad actor.
Mitigate third-party IoT cybersecurity risk
Nowhere is the Wild West of IoT cybersecurity more acutely felt than in third-party IoT risk management. Varying standards of cybersecurity among third-party vendors make it hard to ensure the security of those devices.
Perhaps that’s why a recent study by the Ponemon Institute found that six in ten organizations don’t monitor third-party-developed devices for cyber risk. The report finds that the problem is fueled by a number of factors, including IoT expansion, a lack of centralized IoT risk management programs, and a lack of engagement and understanding of IoT risk by senior business leaders and board members.
These findings underscore the importance of developing a robust third-party risk management program and being more aware of the security posture of the vendors your business chooses to work with. You must regularly audit and assess their security practices and policies to ensure that they develop secure IoT components. If applicable, your organization should also find a way to close the disconnect between IT and business leadership through more effective governance.
Starting taming your IoT risk
Almost every organization is or will soon face the IoT cybersecurity challenge. But with this three-step framework, you can tame the IoT Wild West with confidence.