As IoT devices proliferate, corporate security teams are facing steep challenges while developing their data privacy strategies
As connected devices are getting increasingly included in different business processes and industrial systems, the exponential growth of IoT introduces an unparalleled surge in different business attack vectors. Such an impact will become a huge challenge for corporate security teams – especially considering the privacy law compliance and risk/vulnerability management.
Technology drives the change in the way enterprises to operate, but the word “disruptive” has become overused to describe the impact. However, with around 7 billion IoT devices already in use, and projected to reach up to 21 billion devices used by 2025, confirmed IoT Analytics.
Recently, a study by Ponemon Institute revealed that data breaches caused by not fully-secure IoT devices increasing from 15% to 26% since 2017. Complicating IoT device security further is the fact that most firms have no centralized function to manage them, nor a structured and precise strategy on how to secure and maintain them. Most security teams are well-staffed to handle the IoT device proliferation and may still be blind to the security presence.
Operational efficiency and competitive advantage will increase demand for the adoption of business IoT. Inevitably, different IoT technologies and products will come together in larger, more unified industrial IoT processes.
The major challenges for security teams
Security enterprises already have a tough time ensuring that their production systems are well patched, adding on to it is the burden of patching different connected devices. Smart “things” in different business settings will result in a dramatic increase in the total number of devices required to be patched and monitored – assuming that the patches are available.
Thinking beyond the vulnerability management issues, various legal implications of privacy violations are presenting another significant challenge. The IoT evolution will indeed prompt a wave of cybersecurity legislation around the globe.
In today’s IoT age, enterprises may be gathering employee or consumer data via connected devices without prior permission. Navigating such challenges of emerging vulnerability management and privacy laws could end up being a colossal endeavor for security teams.
Steps for reducing IoT risk
Moving ahead, enterprises will need to sensibly consider how workplace IoT intersects with privacy and different data protection laws. The endeavor should start with taking the below four steps to mitigate risk:
- Isolate the IoT devices into discrete logical segments of the network
- Monitor the data flows to watch-out for anomalous or unexpected traffic patterns
- Include IoT-specific language in all data privacy agreements
- Ensure that all IoT buying decisions are driven by significant security considerations, such as to receive and apply patches, as the ability to change default passwords, and disable less-required services on any IoT device.
In the future, it’s possible that the required level of strategic collaboration between the legal and security teams will surpass expectations – to address strict compliances like GDPR. Until that time, considering the rate of IoT market expansion, perhaps the business leadership might initiate with the most straightforward question: are the businesses skeptical enough about their current IoT strategy to protect their company adequately?