With 50 million connected devices predicted by 2020, the Internet of Things (IoT) is becoming a more pressing cyber security threat which IT managers should take seriously, according to industry experts.
Cisco Systems Australia and New Zealand director of enterprise networking, Robert De Nicolo, said the IoT creates a different operating environment for enterprises.
“At an RSA conference earlier this year they talked about a theoretical attack from an IP connected oven through to a power station which was connected to a smartgrid,” De Nicolo said.
“They [RSA] talked step by step through the process of getting from a commodity device to this incredibly powerful environment,” he said.
Because of these types of attacks, he said the traditional security model -which is perimeter based- needs rethinking.
“Perimeters today are porous so we need to take steps to address that. We believe that security should be everywhere and that it should be an intrinsic part of the fabric of connectivity.”
For example, enterprises should use identity services to provide access for trusted people.
“We know that this in itself isn’t going to keep all of the threats out of our trusted environment so we need a very increased focus on visibility,” he added.
“You than want to take steps to apply policy across the network. I want these particular devices and these users to be able to communicate with others through a segmentation strategy that is layered on top of existing infrastructure.”
This includes switches, routers and wireless access points.
Symantec information protection business manager Nick Savvides noted that IoT will eventually grow in the enterprise market.
“There’s no doubt the market for IoT-ready devices is growing but it is still very fragmented, with a rich diversity in low-cost hardware platforms and operating systems,” he said.
“As market leaders emerge and certain ecosystems grow, the attacks against these devices will undoubtedly escalate, as we’ve already seen happen with the attacks on the Android platform. The good news is that OS makers, in particularly Apple, are making good strides in enforcing security in the eco-systems they support, such as HomeKit.”
Cyber insurance
Turning to cyber insurance, Savvides said adoption is growing in response to regulations obliging companies to respond to information security breaches and the increase of cyber criminals using stolen information for payment fraud, identity theft and other crimes.
“Cyber attacks and data breaches cause reputational harm and business interruptions, but most of all—they are expensive. Relying on IT defences alone can create a false sense of security; however, no organisation is immune from risk. In 2016 many companies will turn to cyber insurance as another layer of protection, particularly as cyber attacks start mirroring physical world attacks.”
Cyber insurance offers organisations protection to limit their risk, but companies should consider all coverage options carefully. It’s not about checking off a box; it’s about finding a policy that protects an organisation’s brand, reputation, and operations if faced with a breach.
Cloud security
Infosys infrastructure, services security and cloud senior vice president Samson David said that as enterprise perimeters expand, so will security vulnerabilities.
“As global enterprises push to scale their businesses through initiatives like cloud and social media, information that previously resided in internal hardware will now be strewn across various devices and levels like on-premises, public clouds, social media and mobile,” David said
“This will leave consumers, businesses and governments on constant high alert for increased risk, vulnerability and exposure.”
According to David, cloud security will increase in scale and decrease in complexity.
“In 2016 we’ll see cloud security evolve into simpler, virtualized controls and solutions that will have embedded security processes to help map current IT systems. Heavy, bolted-on protective layers that have difficulty scaling in the cloud will stay behind, and next year will have lighter, scalable cloud security solutions.”
BAE Systems Applied Intelligence regional general manager Dr Rajiv Shah, said people shouldn’t `talk shop’ in the pub because of the risk of social engineering.
“Conversations about customers or internal operations might give someone a reason to eavesdrop, steal a device, or trick an employee into divulging inappropriate information. You might think the passer-by won’t know what you are talking about, but these days it’s surprisingly easy for someone to build up a profile of an individual from the bits of information that are out there,” he said.
Shah advised people to keep work-related conversation in the office to avoid any issues, and use the office party as a chance to switch off from talking shop.
He also advised people to conduct a drill before a security breach happens.
“Now is a good time to make sure you have an up to date inventory of your data, where it is stored and the impact of loss, and to make sure key staff know what to do and who to call in the case of an incident – just in case the worst happens when no-one is in the office.”