How to Decide Which IoT Devices to Allow

Today’s smart devices allow us to do everything from change the temperature of our oven to find our car keys. But the potential security threat these devices pose is a serious matter. A Gartner survey found that almost 20 percent of organizations have had at least one Internet of Things (IoT) based attack in the last three years. Therefore, businesses should consider these devices’ potential exploitation.

1.      Consider the Insecure Nature of IoT Devices

In 2017, Impulse reported on a demonstration of how a teddy bear could be weaponized to spy on children via IoT. The time since has demonstrated IoT being exploited in ways that go far beyond a demonstration. Not long after the aforementioned theoretical display, for example, hackers exploited a fish tank thermostat to steal data from a casino.

Part of the reason why the Internet of Things is so insecure is that there is little consensus around the security standards that apply to these devices. However, this may change soon. The National Institute of Standards and Technology (NIST) is in the process of creating some security standards that may help. For the moment, there remain a number of separate standards with little consensus.

In the meantime, buyers will likely need to resort to common sense measures when determining which devices are more secure. Generally speaking, newer devices are more likely to be up-to-date with modern security standards and more expensive models are more likely to have had the budget to take security concerns seriously.

2.      Consider How to Make IoT More Secure

The sad truth is that most IoT devices are relatively insecure, but that doesn’t mean there aren’t ways to improve their security. Effective practices for improving IoT devices’ security include the following:

  • Change usernames and passwords. If your IoT devices come with default usernames and passwords, changing these defaults will make your devices more secure than many others who maintain the original settings.
  • Keep software up to date. If your IoT devices’ creators send out updates, use them.
  • Check IoT devices’ settings. There may be settings that could increase your devices’ security. For example, your device may allow for two-factor authentication (2FA).

3.      Consider the Risks and Benefits of Blocking Devices

With so many uses for IoT and more to come, a policy of blocking all IoT devices is unlikely to work. Therefore, it is necessary to consider which devices provide your organization with enough benefits to outweigh any potential harm.

There are some more obvious devices to allow, like devices necessary for employees to complete their work. For example, if you’re setting up a security system using IoT based cameras, then these cameras must be allowed. Less clear, are devices that employees might bring into the office as part of Bring Your Own Device (BYOD). In these cases, it might be necessary to consider your business’s culture and which types of devices will maximize your employees’ productivity. A smartwatch, for instance, might allow your employees to respond faster to notifications and keep better track of their time.

4.      Maximize Security of Allowed Devices

While you’re probably not going to eliminate insecure IoT devices from your workplace’s network, there are measures to take to minimize the risk to your business. Some possibilities include the following practices:

  • Create a separate network. Creating a network for IoT devices (such as a guest network) allows you to take advantage of IoT devices’ benefits, while not limiting their effect on the security of your primary network.
  • Monitor devices on your network. It’s important to be aware of which devices are using the network so that any unnecessary devices can be removed, and the devices can be assessed for their potential to result in security breaches.
  • Educate employees. Teach your employees ways to make their IoT devices more secure.

5.      Decide How to Enforce Best Practices

Taking ways to secure your IoT devices into consideration means little if you don’t have ways to enforce these measures. Some methods include:

  • Incorporate IoT security best practices into your cyber security policy. Your cyber security policy should take into account the ways to maximize the security of BYOD devices and ways to make IoT more secure.
  • Create a BYOD policy. If your organization doesn’t already have a BYOD policy, make one. Note which IoT devices are and/or are not permitted.
  • Invest in cybersecurity software. For example, Network Access Control (NAC) can help ensure devices accessing your network have functional antivirus software and other security measures in place.

How Impulse Can Help

Impulse Point provides SafeConnect, a NAC solution. SafeConnect can help companies limit insecure IoT devices access to their network and help ensure that devices remain on their intended networks. Please request a demo to learn more.

Are you involved in network security? Complete our Network Security Assessment to be among the first to see our results. Don’t miss this opportunity to assess your security and get an edge over cyber criminals.

Comments are closed.

Impulse acquired by OPSWAT  |  December 12, 2019  | Press Release