Cyber adversaries know that one small IoT sensor can provide entry into a corporate network to launch ransomware attacks and more. According to a survey of IT decision-makers by Palo Alto Networks, 78% of respondents (among those whose organization has IoT devices connected to its network) reported an increase in non-business IoT devices on corporate networks in the last year.
Smart lightbulbs, heart rate monitors, connected gym equipment, coffee machines, game consoles and even pet feeders are among the list of the strangest devices identified on such networks in the study.
Non-business IoT devices creating risk
For the second year, survey responses warn of needed security changes to protect corporate networks from non-business IoT devices. This year, 96% of the same group above indicated their organization’s approach to IoT security needs improvement, and 25% said it needs a complete overhaul with the greatest security capability needs around threat protection (59%), risk assessment (55%), IoT device context for security teams (55%), and device visibility and inventory (52%).
“IoT adoption has become a critical business enabler. It presents new security challenges that can only be met if employees and employers share responsibility for protecting networks,” said Ryan Olson, VP of threat intelligence, Unit 42 at Palo Alto Networks.
“Remote workers need to be aware of devices at home that may connect to corporate networks via their home router. Enterprises need to better monitor threats and access to networks and create a level of segmentation to safeguard remote employees and the organization’s most valuable assets.”
Worth noting, of the 1,900 global IT decision-makers polled, 51% indicated that IoT devices are segmented on a separate network from the one they use for primary business devices and business applications (e.g., HR system, email server, finance system), and another 26% of respondents said that IoT devices are microsegmented within security zones — an industry best practice where organizations create tightly controlled security zones on their networks to isolate IoT devices and keep them separate from IT devices to avoid hackers from moving laterally on a network.
There are other worthwhile steps for mitigating IoT security risk at home and in the enterprise.
Top 3 IoT security tips for the work-from-home (WFH) employee
- Get more familiar with your router. All of your IoT devices likely connect to the internet through your router. Start by changing defaults — the settings every router comes with — to something unique. Then encrypt your network by simply updating your router settings to either WPA3 Personal or WPA2 Personal.
- Keep track of which devices are connected. You can access your router’s web interface and look for “connected devices,” “wireless clients” or “DHCP clients” to see a list and disconnect older devices you no longer use, and disable remote management on the devices where you don’t need it.
- Segment the home network. Network segmentation is not only for large corporations. You can segment your home network by creating a guest Wi-Fi network. The easiest way to do this is to have IoT devices use a guest Wi-Fi network, while other devices use the main network. This helps to logically group devices in your home and isolate them from each other. Keeping them on a separate network makes it difficult to get to your computers from a compromised IoT device.
Top 3 IoT security tips for the enterprise
- Know the unknowns. Get complete visibility into all IoT devices connected to the enterprise. An effective IoT security solution should be able to discover the exact number of devices connected to your network, including the ones you are and are not aware of — and those forgotten. This discovery helps collect an up-to-date inventory of all IoT assets.
- Conduct continuous monitoring and analysis. Implement a real-time monitoring solution that continuously analyzes the behavior of all your network-connected IoT devices to contextually segment your network between your IT and IoT devices — and their workloads. Securing and managing WFH setups as branch extensions of the enterprise requires a new approach.
- Implement zero trust for IoT environments. An IoT security strategy should align with the principle of zero trust to enforce policies for least-privileged access control. From there, look for an IoT security solution that leverages your existing firewall investment for comprehensive and integrated security posturing. Running in conjunction with the capabilities of your firewall, the solution should automatically recommend and natively enforce security policies based on the level of risk and the extent of untrusted behavior detected in your IoT devices. Additionally, a point solution can extend a corporate network and bring unified security policy management and secure access service edge (SASE) to WFH employees.