In 2021, cyberattacks against IoT devices have gotten bigger and bolder, from hacking water treatment plants to security cameras, which is why work-from-home (WFH) employees and IT teams need to collaborate and share responsibility for securing the enterprise. IoT adoption has become a critical business enabler, but what are the new security challenges that come with it and what steps can be taken to overcome them?
Greg Day is VP & CSO for EMEA at Palo Alto Networks.
The use of corporate and personal connected devices is now intertwined as work and home environments merge into one, but it exposes businesses to new cybersecurity obstacles that require a joint response from everyone.
Personal IoT devices crossing onto business networks
The rise in home and hybrid working as the new norm is resulting in greater consumer connected devices straying onto business networks. The non-business connected things range from anything between wearable medical monitors and smart lightbulbs to coffee machines and pet feeders. Over the last two years, Palo Alto Networks has been tracking this trend as part of a IoT security study covering 18 countries in EMEA, APAC and the Americas. In the 2021 results, 78% of international IT decision-makers (among those whose organization has IoT devices connected to its network) confirmed an increase in non-business IoT devices connecting to corporate networks by remote workers in the last year. Some markets, such as the USA, reported even higher figures with 84% saying there had been an upsurge.
These personal IoT devices present a rising security challenge for cybersecurity teams as attackers only require one employee to have one vulnerable device they can exploit. Unfortunately, most consumer IoT devices provide poor or no security features at all. Without the enterprise-grade level of security required, consumer IoT devices could pose a real problem for businesses; this is a concern acknowledged by respondents in the study.
On a global scale, most IT decision-makers (81%) whose organization has IoT devices connected to its network reported that remote work during the pandemic caused an amplified risk from unsecured IoT devices on their organization's business network. Over seven out of ten (78%) revealed this increased risk had translated into a rise in the number of IoT security incidents.
The reality is that working from home and the rise in IoT devices is here to stay for the long-term, there will be increased pressure to review IoT cybersecurity in 2022. Nearly all respondents (96% in 2021 and 95% in 2020) to the global IoT survey indicated that their organization requires adjustments in their approach to IoT security; in 2021, 25% suggested a complete overhaul would be best.
WFH workers and IT teams work together
For remote workers, corporate network security starts from the home. To ensure best practices are put in place from the very beginning, IT teams and business leaders must educate and encourage their WFH employees to raise the bar of home cybersecurity hygiene standards starting with their router. For example, some simple steps to follow include altering default security settings and encrypting the home network by updating router settings to either WPA3 Personal or WPA2 Personal. Furthermore, they should conduct regular audits of what is connected and disable any devices not regularly used.
At the same time, WFH workers should also leverage the micro-segmentation feature usually available in the firmware of most Wi-Fi routers. This allows users to operate separate networks - one for guests and IoT devices, another for corporate purposes. Network segmentation is critical to cyber hygiene in the enterprise and at home.
The survey revealed that 51% of IT decision-makers (who have IoT devices connected to their organization's network) segmented IoT devices on a separate network; isolated from the one used for primary business devices and business applications (e.g., HR system, email server, finance system). That said, a significant number of global IT decision makers (one in five) admit their organization's IoT devices are not segmented on an individual network from the one they use for primary devices and key business applications. The situation is worse in some markets, such as the UK, where one in three admit to having no segmentation at all.
IT teams and remote employees must collaborate to secure the network, as opposed to adopting a hub and spoke connection model; where everything goes through one security pipe and where home workers connect back into the business via VPN. Due to the complexity of today’s connected ecosystem, one size security is insufficient. All too often, users look for the OFF switch on their VPN to run core business services such as conferencing. In our digital age, edge cybersecurity must adapt to being contextually aware. In this way, the appropriate security is transparent to the user and optimizes the experience, so there is no need to turn it OFF.
Trust in Zero Trust
Finally, IoT cybersecurity management lies within the enterprise itself and how rogue IoT devices are policed and prohibited from connecting to the network. Organizations should be using least-privilege access policies to prevent unauthorized (consumer) devices from connecting to corporate networks. Only approved devices and users should be allowed access to necessary resources.
Zero Trust is key to securing IoT devices and avoiding the risk of data exposure, which would negatively impact business continuity. Organizations can benefit from real-time monitoring solutions that continuously analyze the behavior of network connected IoT devices, to seek to know the unknowns. This means discovering the exact number of devices connected to the user’s network, including the ones they are and are not aware of — and those forgotten. The inventory of IoT assets can then use current firewall investments to automatically recommend and enforce security policies, based on the level of risk and the extent of untrusted behavior detected in those devices. A point solution can extend a corporate network and bring unified security policy management and Secure Access Service Edge (SASE) to remote workers.
IoT devices are critical to our everyday lives and work, organizations must reevaluate the way they have traditionally responded to cybersecurity and create a culture of proactive cyber health that extends from the C-suite to all workers. Hybrid working is here to stay so business leaders must learn and implement best practices, as well as train and educate employees on how they can work safely remotely as well. There needs to be more dialogue, communication, and transparency within the business to avoid preventable human errors and simplify cybersecurity at all levels.
At TechRadar, we've featured the best business VPN.
