IoT is Active and Moving. Are you?
The U.S. Department of Commerce recently cited that 200 billion connected devices will be deployed by 2020 with an accompanying economic impact in the trillions by 2025. This Internet of Things (IoT) represents a major transformation in a digital world that has the potential to affect everyone and every business. As a result many companies are moving ahead on IoT projects with little consideration to the security or privacy issues that accompany IoT.
Many companies however do not have a specific solution in place to secure IoT devices, and some may not know if they have security policies on their devices. ForeScout® Technologies, Inc. recently announced the findings of its new “Enterprise Internet of Things (IoT) Survey.” This survey of 350+ Information Technology (IT) professionals assessed their organizations’ IoT security practices. The research revealed that while the majority of respondents acknowledge the growing number of IoT devices on their networks, they are unaware of how to properly secure them. Moreover, 85 percent of survey respondents lacked confidence in their ability to see connected devices as soon as they joined their networks, and almost a quarter of survey respondents said that they weren’t confident at all. When connected devices are left out of the security sphere, an organization’s attack surface becomes that much more vulnerable. The excuses for this scenario are many and the users of these companies solutions are potential digital crime victims; many of whom are never notified or even aware of the risks and dangers.
Today there is an added risk: spying. As the Internet of Things (IoTs) become more commonplace more valuable data will be accessible through an ever-widening selection of entry points. Not only to hackers alone, but also to spy agencies like the National Security Agency (NSA). So what is a developer or solution provider to do? Well it starts at the concept stage of considering how data is collected, processed, stored and destroyed. This is not only a software consideration but also hardware. At a high-level here is where you need start:
- What does your company policies and procedures state about your systems development life cycle (SDLC)?
- Does your SDLC provide at design/concept stage allocations for a Privacy Impact Assessment (PIA) and Technical Risk Assessment (TRA) ?
- Are your developers/programmers given security training?
- Do you perform background checks on developers/programmers?
- Where do you store your source code? And who has access to it?
- Where are your components sourced from and have you validated the firmware on these components and integrated circuits?
- Have you assessed the Third Party libraries for security issues and coding practices?
- Did you perform “threat modelling” of the proposed solution?
All of these aspects need to be considered as they are a benchmark for all of your solutions and must become part of your business culture. This also includes documenting all aspects of these elements, especially for meetings that deal with design decisions. Maintain a decision log/registry that is tied to the project. This can be referenced if and when a breach happens. It can also save your a$$ to provide you did the due diligence at design time. Your dev-ops, designers, and testers need to eat, think and breath private and secure design. Doing this up front will not only greatly reduce costs in the back end for support but also help avoid possible lawsuits.
At TwelveDot our goal is to help companies that are struggling to secure their mobile, cloud and IoT solutions. Connect with us to see how we can help you solve your security challenges.