Conventional approaches to cybersecurity focus on one fundamental concept: protecting every device insight to keep hackers, attackers, and thieves away. However, this concept is outdated in a highly networked world in which many sensors, devices, and systems supply each other with data. The Internet of Things is growing, and IDC predicts 41.6 billion connected IoT devices will be by 2025.
What does this mean for companies? If you are stuck with the traditional approach to security, it is time to restart your security initiative to reflect a limitless computing environment. The IoT is very different from IT, and it is essential to focus on the network and the overall data environment rather than the specific device.
Table of Contents
The IoT Is Simply The Next Phase Of IT Security
Nothing could be further from the truth. Connected devices and systems represent a more decentralized approach to computing and cybersecurity. Moving to the IoT requires a substantial conceptual leap for IT teams as they are no longer the buyer or device owner.
The problem is that IT teams are trying to use the same tools and approaches when Fort Knox was founded. You approach a business problem as an IT problem. The IoT is not about laptops and smartphones, and it’s not about protecting user networks. It’s a whole different world that revolves around protecting business processes and data.
Business leaders who understand IoT realize that taking a holistic, data-centric approach rather than making everything more complex can make cybersecurity easier.
IT Should Oversee The Security Of The IoT
Typically, when IT is responsible for the security of the Internet of Things, it uses conventional tools, technologies, and approaches to the task. This “one-size-fits-all” approach often leads to disappointing results. The IoT goes beyond the limits of traditional computer systems. Data resides on various devices inside and outside a company and flows through many other points of contact.
But there is another, sometimes bigger, problem. With IoT spanning teams, departments, and companies, it’s easy to put up with an isolated approach to cybersecurity. In some cases, different groups dealing with security issues can duplicate or even inadvertently use conflicting methods – and ultimately leave an organization unprotected.
Alignment between IT and cybersecurity teams is even more critical in the age of IoT. This requires close collaboration between CIOs, CSOs, and CISOs. You need to analyze, identify all of your resources, and understand how, why, and where data is being used. Only then can you design a framework that is optimized for the IoT. This may require hiring or retraining people with the right skills and expertise.
Traditional Security Tools And Strategies Will Protect Us
The castle-and-moat approach to cybersecurity can actually “undermine” IoT security. While still valuable, malware protection and other traditional tools were not designed for managing data streams across sensors, edge environments, and modern multipurpose devices.
This does not mean that an organization should remove these protections, and it just needs to redesign them and add new features as they become available. This could be, for example, data encryption during transmission or tools for network monitoring that detect when data is particularly at risk. It could also be setting up separate networks for different types of data. Even if someone hacks a device or system, they may not get anything of value.
AI can find IoT devices on a network, including previously hidden devices, ensure they have received critical updates and security patches, and identify other potential problems. Machine learning enables IoT devices to be grouped based on security risks without additional security software and manual processes. This approach allows for risk assessments of when devices function “normally” or “suspiciously” and helps enforce IoT guidelines.
It’s All About Protecting Your Device
The application of conventional IT security thinking to the IoT opens another trap. IoT security requires a broader approach that includes network authentication, connectivity, clouds, and more. “It is time to stop thinking of IoT devices as small PCs. Most of these devices are simple and dumb,” says Utter.
Thousands or tens of thousands of IoT sensors and devices make it impossible to protect everyone in an intelligent business, supply chain, or city. While it’s essential to cover a medical device or car from hacking attacks, many connected sensors and devices have read-only components that cannot be compromised. As a result, enterprise IoT security measures must revolve around more complex relationships between systems and data.
“You really have to start with the basics,” emphasizes Utter. “That means that you have to create a zero trust framework.” In this new order of IoT, the network is the thing – and all sensors, devices, systems, and data have to be viewed holistically. “By classifying data, setting up zones, and creating whitelisted applications and processes, it is possible to identify the right protective devices and tools for the right task.”
This means, for example, that one has to move away from a traditional model in which all sensors and devices are integrated into the same network. Instead, a company can benefit from organizing its systems according to business tasks, data security, and trust levels. It is then necessary to create network nodes, departments, or zones and implement tools and protective devices that meet the security requirements.
Manufacturers’ Safety Precautions Are Critical
The prevailing mentality is that vendors need to build strong safeguards into their products. And if there is a patch, the user has to rush to install it after installing it. Unfortunately, this is a flawed concept in the age of connected devices. That’s not to say that security shouldn’t be built into products. It just isn’t to say that an organization shouldn’t consider the safety of IoT device providers as the primary form of protection.
Because many sensors are just “dumb endpoints” that are replaced and not patched, even when it comes to more complex devices, “most companies use IoT components and never update or patch them.” The problem is that firmware patches and upgrades become a nightmare for thousands of networked devices.
The bottom line? Security on the device becomes much less critical when data and network controls are in place. The IoT requires a broader overarching strategy that spans all device manufacturers. Ultimately, protecting the IoT doesn’t have to be a chore.