With IoT security spending expected to reach $1.5 billion this year, companies are taking active measures to protect themselves from the threat of unsecured IoT. Have IoT, but don’t have budget? Don’t let this stand in the way of making incremental progress. Here are three ideas to help get you started.
#1 Create an IoT Device Inventory
To secure a device, you first need to know it exists. Start by developing an inventory. This can be as simple as creating an Excel spreadsheet, or as advanced as training your automated discovery tool to detect and include each device type. Examples of IoT devices include camera systems, smart TVs, consumer grade devices brought in to the office by staff (e.g., Alexa, Echo), heating and air conditioning systems, vending machines, robots and yes, believe it or not, smart fish tank sensors.
In addition to the traditional inventory attributes, consider recording whether the default password has been changed, the operating system, last patch date, data types collected, where data is being sent, stored, etc. While creating a full inventory will take longer than a week to complete, the idea here is to simply start.
#2 Add an IoT Scenario to your Incident Response Plan
With IoT device data in scope for new regulations such as GDPR, having a documented plan of action in the event of an IoT-triggered breach is key. Update your incident response plan by adding a single IoT-specific breach scenario (the one with the highest impact) and create a supporting playbook that clearly lays out the steps to take in the event of device compromise or malfunction.
#3 Update Procurement Criteria
Imagine discovering in the middle of an implementation, that the long-awaited new IoT devices you purchased have just arrived. Unfortunately, you soon realize that they have hard-coded passwords, can't be patched remotely (i.e., over the air), and don't support encrypted communications.
As embedded systems within many IoT devices have less memory and processing power than typical compute devices, they may be unable to support enterprise-grade security. Consider adding IoT-specific criteria to vendor questionnaires and purchasing checklists. The answers just may surprise you, leading to some very different purchasing decisions.
IoT devices are here to stay. Taking the time to implement one or more of these low-cost, high value ideas will take you one step closer to securing your IoT ecosystem.