vege - Fotolia

IoT and personal devices pose huge security risk to enterprises

After years of speculation about the risk IoT and personal devices pose to enterprise security, research has revealed the threat is “immense” and probably greater than most firms realise

The cyber security risk posed to enterprises by personal devices and internet-enabled devices making up the internet of things (IoT) is significant, a study shows.

Enterprise networks across the UK, Germany and US have thousands of unmanaged personal devices and IoT devices connecting to their networks, according to a study by network control firm Infoblox.

The research report on shadow IT devices lurking on enterprise networks warns organisations against overlooking employee-owned laptops, e-readers and mobile phones, and IoT devices such as digital assistants and smart kitchen appliances that are connecting to their networks.

The study shows that in more than a third of companies polled, more than 5,000 personal devices are connecting to the network each day.

Employees in the US and UK admitted to connecting to the enterprise network for a number of reasons, including to access social media (39%), as well as to download apps (24%), games (13%) and films (7%).

These practices open organisations up to social engineering hacks, phishing and malware injection, the research report warns.

Conversely, just 16% of IT directors in the United Arab Emirates reported having more than 500 personal devices connecting to their networks.

Read more about IoT security

A third of companies in the UK, Germany and US have more than 1,000 shadow IoT devices connected to their network on a typical day, with 12% of UK organisations reporting having more than 10,000.

The most common devices found on enterprise networks include fitness trackers (49%), digital assistants such as Amazon Alexa (47%), smart TVs (46%), smart kitchen devices (33%) and gaming consoles (30%).

Such devices are easily discoverable by cyber criminals online via search engines for internet-connected devices, like Shodan, which provides even low-level criminals with an easy means of identifying a vast number of devices on enterprise networks that can then be targeted for vulnerabilities.

In March 2018, such scans revealed that there were 5,966 identifiable cameras deployed in the UK, 2,346 identifiable smart TVs deployed in Germany, and 1,571 identifiable Google Home digital assistants deployed in the US.

To manage the security threat posed by shadow personal devices and IoT devices in the network, 82% of organisations have introduced a security policy for connected devices. However, IT directors appear misguided in their estimation for how effective these policies are, according to the research report.

Security policy awareness

While 88% of the IT leaders that responded to the survey believe their security policy is either effective or very effective, nearly a quarter of employees from the US and UK did not know if their organisation had a security policy.

Of those that reported that their organisation did have a security policy for connected devices, 20% of UK respondents claimed they either rarely, or never, follow it. Only one-fifth of respondents in the US and UK reported that they followed it to the letter.

While security policies and security awareness have their place, they also have their limitations, according to RBS CISO Chris Ulliott.

Commenting specifically on cyber security awareness training programmes, he told attendees of CrestCon 2018 in London that security professionals need to realise the limitations of such programmes.

Ulliott is among those information security professionals who believe that device manufacturers and service providers need to put more effort into making things secure by design so they are safe to use without any fear of security risk. “More needs to be done to understand user behaviour and design products and services accordingly,” he said.

Cyber security advice limitations

To illustrate the limitations of cyber security advice, Ulliot cited a 2012 review in the Annals of Internal Medicine that shows people routinely ignore medical advice, despite the potential consequences on their health.

According to the review, studies have consistently shown 20-30% of medication prescriptions are never filled, and approximately 50% of medications for chronic disease are not taken as prescribed. This lack of adherence is estimated to cause approximately 125,000 deaths a year, the review said.

“If people are willing to ignore medical advice at the cost of their own lives, what hope do we have that they will follow cyber security advice,” said Ulliott.

Gary Cox, technology director for Western Europe at Infoblox said that the poor security levels of many consumer and IoT devices means there is a “very real” threat posed by those operating under the radar of organisations’ traditional security policies.

“These devices present a weak entry point for cyber criminals into the network, and a serious security risk to the company,” he said.

According to Cox, networks need to be a frontline defence for enterprises, second only to having good user education and appropriate security policies.

“Gaining full visibility into all connected devices, whether on premise or while roaming, as well as using intelligent systems to detect anomalous and potentially malicious communications to and from the network, can help security teams to detect and stop cyber criminals in their tracks,” he said. 

Read more on Hackers and cybercrime prevention