Corporate IT is all about trying to balance demand for new technology in the workplace with the need for security. BYOD has been a threat to corporate IT networks for years, but the dependence of employees on tablets using the likes of Dropbox – and the general circumventing of IT rules and regs – is just the start.
Internet of Things (IoT) devices are actively penetrating heavily regulated industries such as healthcare, energy infrastructure, government, financial services, and retail, according to a recent report. This is 'shadow' IT. Not only have IT staff got to think about the BYOD craze, but they've also got to consider the plethora of smart devices and other parts of the IoT that are creating multiple insecure access points.
The IoT threat
Don't think you've got many IoT devices on your corporate network? Think again, says Andrew Hay, Director of Security Research at OpenDNS, who authored the 2015 Internet of Things in Enterprise Report.
"Consumer devices such as Dropcam Internet video cameras, Fitbit wearable fitness devices, Western Digital My Cloud storage devices, various connected medical devices, and Samsung smart TVs continuously beacon-out to servers in the US, Asia, and Europe – even when not in use," writes Hay. Even worse, a survey of more than 500 IT and security professionals found that 23% of respondents make no attempt to prevent someone from connecting unauthorised devices to their company's networks.
In practice, the IoT is a free-for-all.
What kinds of devices?
IoT in the workplace already has a broad reach. "You are looking at everything from lifts to vending machines to heating control systems and smart utility meters on one side, to the IP-enabled coffee maker in the kitchen, the CCTV cameras in the hallways and car park to the smartwatches on employees' wrists at the other extreme," says Sergio Galindo, general manager, GFI Software.
It's a growing threat, too; IoT in the workplace is on the verge of a surge. "With a full range of smart building technologies and business appliances now IP-enabled and in everyday use to allow for remote monitoring, maintenance and configuration, the Internet of Things is already heavily entrenched in the business world, while the consumer world is still in its infancy," adds Galindo.
The shadow IoT
The more devices you have connected to the internet, the more vulnerable you are. "All devices, such as smart TVs, network attached storage (NAS) devices and wearables such as Fitbit do potentially expose a corporate network," says Dr Kevin Curran, Technical Expert at the IEEE, though he does point out that IoT devices are not equal, and that an infrequently patched Windows XP machine exposed to a network is much more of a threat than a webcam on the same network.
"Each device should be secure by default – it should only perform specific tasks and stop unauthorised activities from being carried out," says Amol Sarwate, Director of Engineering at Qualys. "Unfortunately, many developers don't have this mind-set in place from the start."
Even so, many IoT devices are not treated as potential threats, and IT staff often overlook them. "This can be simple things like not applying patches that are available to fix known problems, or not putting authentication steps in place to verify who has access," says Sarwate. "When these systems are on their own private networks, they can be easily mitigated, but adding internet access leads to immediate problems."
Smart devices are not as simple to update as they ought to be. "With these devices, it's about making sure they have the latest firmware installed," says Galindo. "If manufacturers issue updates, getting those updates into everything from a smart thermostat to a smart lighting system is both important and time-consuming."
Patch management systems can help automate some of the software updating not covered by the likes of Windows Update, but with most IoT devices, it's going to involve manually looking for updates, downloading and manually applying them.