While there have increasingly been many predictions about the impact the Internet of Things (IoT) will have on organizations in the future, it appears that the number of non-traditional devices connected to corporate networks is already challenging enterprises.
According to a study by Atomik Research and security firm Tripwire, employed people working from home have an average of 11 IoT devices on their home networks, and nearly one in four have connected one of these devices to their enterprise networks. The devices run the gamut, with printers (27 percent), routers (22 percent), video equipment (20 percent) and video gaming consoles (14 percent) the most popular. Twenty-four percent of them admitted to connecting a personal smart device – other than laptops and cell phones – to a corporate network, and most said they are only “somewhat” concerned with the security of these devices.
“Network monitoring and change control policies provide the foundation for enterprises to quickly recognize new devices being connected to the corporate network,” said Craig Young, security researcher for Tripwire. “Unauthorized devices should stand out like a sore thumb by performing continuous or periodic network scans. This type of change can trigger an administrative response to disable or isolate the unknown device as an active enforcement of corporate policies.”
The survey fielded responses from 404 IT professionals, 603 employed consumers who work from home and 302 executives from the retail, energy and financial services in the U.S. and the U.K. Less than one in four of the IT professionals surveyed said they are confident in the secure configuration of common IoT devices that are already on enterprise networks: Voice over Internet Protocol (VoIP) phones (21 percent), sensors for physical security (20 percent), smart controllers for lights and HVAC (16 percent), point-of-sale devices (18 percent) and industrial controllers (12 percent).
Interestingly, while only eight percent of the respondents who work in IT in the energy industry said they were concerned about cybercriminals attacking industrial controllers, 88 percent admitted they are not confident in the secure configuration of those controllers.
Among its other findings, the survey also reported that 63 percent of executives expect business efficiencies and productivity will force them to adopt IoT devices despite the security risks. Still, 46 percent said the risks associated with IoT have the potential to become the most significant risk on their networks.
“Proper network segmentation and firewalling is definitely good security hygiene and will mitigate some of the risks associated with these systems but this alone is generally not enough to keep the determined attacker out of your system,” Young said. “By implementing these security controls the attacker may be prevented from launching certain direct attacks but persistent attackers have shown in the past the capability to move laterally through an organization in spite of segmentation and firewalls. If for example an HVAC system that is isolated from important corporate systems is compromised, the attacker may still be able to steal passwords or implant exploits to further their access into an organization. Target’s breach after all was ultimately linked back to network credentials stolen from an HVAC subcontractor.”
The survey can be downloaded here.