Gartner is predicting that in less than four years the number of connected devices worldwide will total more than 25 billion. The main driver in this significant growth is the Internet of Things (IoT). Although the IoT often seems to be a futuristic and exotic concept – conjuring up images of robots, self-driving cars and automated workplaces – it is, in fact, already here, with devices including smart watches, wearable tech and home/building automation controls becoming more widely adopted.
According to a recent survey1, however, almost half of IT professionals across numerous markets, including the financial sector, have little to no confidence in their ability to see, control and manage the growing number of IoT devices in their network environments. The main concern here is that when connected devices are left out of the security sphere, an organisation's attack surface becomes much more vulnerable.
There is also confusion around what constitutes an IoT device: The same survey found that, on average, respondents had at least nine out of 27 different types of IoT devices (e.g. desktop PCs, IP phones, tablets, video conferencing systems) that they could identify on their networks. This number was consistent across all respondents – even those who claimed to have no IoT devices when initially asked.
A printer, for example, is often not perceived to be an IoT device. This is unsurprising in view of the fact that, for decades, a printer was no more than an automated typewriter attached to a computer. There was no inherent intelligence, and very little complication. But then came an evolution to multifunction and networked devices. Scanning, faxing and copying capabilities were added, along with both wired and then wireless networking. More storage capacity was also added to accommodate these functions. As with all other devices, the increase in options and capabilities comes with a commensurate increase in complexity and processing power. And this complexity and processing power means that rather than being an extension of a well-controlled computing device, the device itself is an integral part of the network, and, as such, it must be secured.
The conversations I have with people in the UK B2B finance industry around IoT are a mixed bag. Many feel that their network is well protected and that few IoT devices currently get access beyond phones and tablets. Many also acknowledge, however, that the IoT will become a bigger security concern in the future as their organisations begin to use more IoT devices as part of a natural evolution – wearable tech, IP Kettles and vending machines, for example, may all become part of their network environment.
If a next-generation network access control (NAC) solution has already been deployed to protect the network, wireless IoT devices can be easily identified and then quarantined on a guest network or VLAN, thereby not letting these potentially risky devices on to the corporate network at all. It becomes trickier when devices are hard wired as then the switching infrastructure comes in to play and it's much harder to see what is actually there. ForeScout CounterACT® can identify those device types and decide what network permissions to allocate.
Other finance professionals I speak with feel that perhaps their networks are so large it is impossible to know what devices are on them. They are also concerned about potential security attack vectors they are not even aware of, such as the connected car in the car park, vending machines, door access, CCTV, HVAC and so on. Furthermore, the IT networks of financial organisations are often shared by business partners or contractors so there is no guarantee that the devices they bring on to the network are desirable, or ‘safe’. By deploying an agentless cybersecurity solution that offers the ability to see and control all devices connecting to the network, including IoT devices, these organisations will have a way to identify and police their relationships from an IT perspective.
System-wide orchestration of security tools is also a necessity in today’s ever-changing threat landscape, especially with IoT devices presenting new, vulnerable entry points for network attackers. With the right framework in place, these tools can work together to automate response and security enforcement to quickly contain risks and remediate compromised endpoints. Not only does this save considerable administrative time, it dramatically reduces the security attack window.
Currently, widespread thinking within this sector is to prohibit as many IoT devices as possible from connecting to their network environments. That said, finance professionals accept the change is coming and most organisations are soon going to demand safe connectivity for their IoT devices.
The fact is that the Internet of Things represents one of the largest fundamental changes to the enterprise in decades. The challenge now is to ensure that its promise is realised in a secure and responsible way. The ability to share real-time contextual insights and implement agentless security policies across the organisation encourages healthy security practices from the inside out, so this would be a good starting point for any organisation looking to futureproof its network protection.
By Tim Wallen, Regional Sales Manager, ForeScout Technologies, Inc.