IoT and BYOD Scream for a Written Network Security Policy - Here’s Where to Start
Check out these stats from CMO.com on the Internet of Things (IoT):
- By 2020 the amount of Internet-connected things will reach 50 billion, with $19 trillion in profits and costs savings in the next 10 years
- Despite this number, only .06% of things that could be connected to the Internet currently are, meaning 10 billion of the 1.5 trillion global things are currently connected
- Despite the number of current connected things, 87% of people haven’t heard of the term ‘Internet of Things’
These are sobering stats, and ones that could have implications on enterprise networks. As BYOD proliferates the organization and network, the ways that companies manage mobile devices can have wide ranging network and data security implications. All of the connected devices represent potential access points into your organization, so in the future, when an employee checks his home Nest thermostat, is he inviting unwanted network access to hackers?
An article earlier this year at Forbes, shared research that showed how hackers were able to trick Wi-Fi connected devices, such as baby monitors and even PCs, to communicate with a compromised Nest thermostat, giving them access to personal data and information. As the article concluded:
Established Internet of Things devices aren’t encrypting data on their devices because it’s very intensive. Up until now, they’ve chosen not to include strong security because it impacts cost. They don’t want to do it.
So how you handle BYOD at your organization today may look a lot different in the not too distant future. First of all, forget banning BYOD. It’s a waste of time, and frankly, not a good idea. BYOD does provide inherent organizational benefits, including improved employee productivity. Since BYOD is going to happen, here are some things to consider in terms of network security.
Start with a specific BYOD security policy. Consider the types of data your organization stores and the types employees can access. If you’re dealing with personalized information such as banking or healthcare data, then you need to strictly control what devices can access this data and how. Beyond this ultra-sensitive data, be smart about who has access and how this data is used. You may also want to create a BYOD ceiling to limit the number of devices employees can connect and possibly even what types of devices they can connect (do employees need data access from their watches?).
As you develop a BYOD security policy, ask yourself the following questions. The answers will help guide the creation of your policy.
- What is my current digital footprint? You need to think like a hacker here. What visible and not so visible channels are currently exposed? Think about your employees, partners, and other stakeholders that may have access to your organization’s network.
- How secure are your employee devices? Depending on the size of your organization, this can be a daunting task but one well worth your investment. Check devices and make sure that they have the proper security protocols enabled, that passwords are secure, and that they’re set up correctly. Build a process into your plan for enabling new devices on the network.
- When was the last time you conducted a comprehensive scan of all ports, vectors, and protocols? Scan all network ports and identify the IT counterpart of open windows and unlocked doors. The most common malicious network scans search for vulnerabilities in a standard range of 300 ports on a network where the most common vulnerabilities are found. (However, you may have over 60,000 ports on your network that can be suspect.)
- How does your network interact with outside parties? As you think like a hacker, try and access your network from the outside and see what information your network requests.
- How secure is your internal network? We all know that many data breaches occur as inside jobs, so be sure to check how employees access the internal network.
- When was the last time you addressed your wireless networks, including Wi-Fi, Bluetooth, RFID, and other rogue devices? These are all potential entry points into your network.
- Have you considered company-wide employee education on BYOD threats? It’s one thing to write down a policy and yet another entirely to conduct hands-on employee education.
BYOD is the new normal, and how these devices are connected, and to what, can open up a network security nightmare. No security policy is air tight, but a well thought out BYOD and network security policy is a great place to start!