Just "ensure that the passwords you're creating for IoT devices are unique and complex [i.e., include a combination of uppercase and lowercase letters, numbers and special symbols], as many IoT devices only require the use of simple passwords or other simple authentication methods to manage themselves, allowing attackers to eavesdrop on the data stream," adds Aamir Lakhani, security strategist, FortiGuard Threat Research and Response Labs at Fortinet, a network security company.
Concern No. 2: Threat to enterprise data and network security
"Businesses should be wary of IoT in terms of connected devices and the security of their networks," says Reggie Best, chief product officer, Lumeta. "Any device with built-in network connectivity creates a risk, a so-called backdoor connection that could be exploited for data exfiltration," or a DDoS attack. As a result, "enterprise IT managers need to be constantly aware of when new devices connect to the network, identify the types of devices and know where in the network these devices are located," he says. "If a smartphone joins a guest wireless zone of the network, it's likely expected behavior. If a 'smart' refrigerator connects to the payment card zone, however, that's a different story."
"IoT devices represent a tremendous blind spot for organizations," says Rehan Jalil, CEO, Elastica, a provider of cloud app security. "Aside from questions regarding what data is stored on these devices, there are broader issues around what data is transmitted from these devices and where that data ultimately lands," he says.
"Questions around data governance have always been central to security and IoT is no exception." And "making a multimillion-dollar investment in IPS and firewalls is of little benefit when employees can easily copy data to the cloud."
And unfortunately, "most company's BYOD policies don't cover IoT," notes Rob Clyde, vice president, ISACA International, a global association of 115,000 professionals that helps enterprises maximize the value of their information and technology.
"ISACA's recent IT Risk/Reward Barometer study reveals that only 11 percent of companies have a BYOD policy that also addresses BYOW (bring your own wearables), even though 81 percent in the same survey said that employees bringing wearable devices to work represents equal or greater risk than bringing their smartphones or tablets to work," Clyde says.
To limit potential breaches and protect sensitive data, "company policy should dictate whether wearable devices are allowed in the workplace, what types are allowed and what security is required," he advises. "For example, restrict employees' wearable devices to only connect to the Internet via a cellular or guest network."
Concern No. 3: No good, comprehensive way to manage all of these IoT devices
"When looking at the current state of the Internet of Things, the industry lacks one glaring success factor: a set of standards for application program interfaces (APIs), which are credited as being the building blocks of the IoT -- and are essential for managing all of these disparate devices," explains Lee Odess, general manager, Brivo Labs.
Sign up for MIS Asia eNewsletters.