Five pitfalls to avoid in mobile and IoT security
Mobile and the Internet of Things (IoT) are increasingly important to enterprises, as these technologies enhance communication and productivity in multiple industry sectors.
"Consumers are demanding access anytime, anywhere, anyhow," said Sean Peasley, a partner at Deloitte's Cyber Risk Services practice. "The data those devices collect will grow exponentially with market and application growth, allowing for more in-depth analysis and near-real-time responsiveness."
The rise of mobile paved the way for IoT -- interest in which is up across enterprises, Peasley said. Some 38 percent of tech leaders said their companies are currently using IoT devices, according to a recent Tech Pro Research survey. An additional 30 percent of respondents said their companies are in the planning or considering stages of adopting these devices.
"We see more and more IoT and mobile devices in the enterprise," said Christos Dimitriadis, chair of the board of directors of ISACA. "This is quite concerning, because there are a lot of measures that have to be taken to make sure that we safely embrace that technology. IoT and mobile are the future, but we have an emerging cyber threat landscape."
Here are five common pitfalls to avoid in mobile and IoT security.
SEE: Enterprise IoT Research 2017: Benefits, Trends, and Security Concerns (Tech Pro Research)
1. Using default passwords
Many IoT devices come programmed with a default password, said Forrester senior analyst Merritt Maxim. It's important for home and enterprise users alike to immediately change default passwords upon installing an IoT system, and to avoid purchasing systems that do not allow you to change default passwords, Maxim said. If you do not, hackers with knowledge of the devices can use those passwords to gain control of them.
"The problem with IoT is the I, not the T," Maxim said. "People like to joke about hacking refrigerators, but the reality is all of those devices are sending data to some back-end system, generally in the cloud, that contains lots of useful information. Hacking an individual refrigerator is less interesting than hacking the cloud database on the back end."
2. Failing to update devices
Ignoring mobile and IoT device updates puts enterprises at major risk of security vulnerabilities, Maxim said. Enterprise users should also avoid purchasing devices that have no means of updating or patching, he added. This becomes important not just for security, but also for updating systems to function as your organization needs them to, Maxim said.
Among IoT developers, there is growing pressure to accelerate time-to-market, Dimitriadis said. "Many times, that denies you time to be able to provide a holistically secure solution, making sure you have a program in place to patch this device periodically," he added. The recent WannaCry ransomware attack was able to spread largely due to a patching issue, Dimitriadis said.
"Tech companies have to make sure they have the right programming in place to identify vulnerabilities and apply patches very quickly," Dimitriadis said.
3. Assuming EMM is enough
Many companies with enterprise mobility management (EMM) policies in place assume that those are enough to secure mobile and IoT devices, said Patrick Hevesi, research director of security and risk management at Gartner.
"I don't think that's the case anymore," Hevesi said. "Mobile threats are deploying to millions of devices, and growing daily."
Instead, organizations should perform a risk assessment of both mobile and IoT, to understand the different attack vectors and how to block them, Hevesi said. These potential vectors include sideloading, malicious apps, and insecure wi-fi networks.
Depending on the data on the device, you may need more or less security in place, Hevesi said. For example, administrators at government agencies and banks likely need extremely strong protections in place, while offices with BYOD policies may just need to set the minimum operating system version required.
"There are a lot of moving parts, and not just one solution a company can put in," Hevesi said. "You have to start looking at it like a menu -- if I have high-class data I need to do this, if I have low-class data I need to do this."
SEE: Mobile device computing policy (Tech Pro Research)
4. Lacking a holistic security approach
Most organizations lack an effective IoT cybersecurity program, face a shortage of specialized talent, and have insufficient budgets, leading them to implement multiple point solutions that lack integration and don't fully mitigate cyber risks, Peasley said. And traditional security models do not typically take into account the multilayered nature of IoT and the large scale of vulnerabilities that come with it, he added.
To ensure mobile and IoT security practices are created and upheld, enterprises must develop a holistic approach that combines policies with the actual technology, people, and culture of the organization, said Dimitriadis.
"We see initiatives being taken in many cases that partially address the problem, but what is needed here is a holistic solution," Dimitriadis said. First, companies need to have a clear policy in place about mobile and IoT use in the enterprise. Then, they must raise awareness among staff, and make sure there is training in place for employees to both recognize and mitigate cyberattacks.
"An enterprise risk management framework that incorporates cyber threats and links them to actual business, products, services, and brand names will help make it certain that steps toward cybersecurity will be made," Dimitriadis said. "It's about recognizing the problem and understanding the relevance of the threats to the business."
Enterprise leaders must make sure they don't wear a blindfold when it comes to mobile and IoT, Dimitriadis said. "Workers expect a workplace where these devices are welcome," he added. "It is a trend, and we need to embrace it rather than pretend we're able to stop it."
5. Leaving security as an afterthought
Security is often an afterthought for both the enterprises installing mobile and IoT systems, and for the developers creating these systems, Peasley said. Further, sensitive data throughout the product lifecycle is not secured, and potential issues could significantly harm the brand and the workers if it is exposed.
Lack of a proper strategy around developing IoT devices and features could impact the business, and put both brand reputation and human lives at risk, Peasley said.
"It's key to have a holistic approach that includes risk-prioritized controls to defend critical assets against known and emerging threats, threat intelligence and situational awareness to anticipate and identify harmful behavior, and being prepared and having the ability to recover from cyber incidents and minimize their impact," Peasley said.