The Benefits and Risks of the Digitization of Enterprises
Insight Taking advantage of digitization in your business is great way to utilize technology, but make sure you understand the risks and how to minimize them.
Enterprises need to enable faster and better decisions. “Digitization” is the answer: taking advantage of big data and machine-learning techniques to analyze large amounts of information. For companies with significant physical assets such as transportation, utilities, and manufacturing, digitization is best accomplished by installing sensors on these assets. Connect these sensors together on a network and you have an Internet of Things (IoT.)
To be useful, companies need to install many IoT sensors. To be practical, the devices must be inexpensive. To meet this goal, device manufacturers are forced to make compromises that are not seen in traditional enterprise computing equipment. These compromises lead to unique risks that require very different security models to address their shortcomings.
One source of security risk arises from how these devices work together. While manufacturers do consider the need for their own products to work together, there are no standards to ensure inter operability among devices from different companies. An enterprise environment will always be a mix of systems as new systems are added alongside existing equipment, making integration of IoT devices a unique challenge. Trying to connect devices that weren’t designed for this from the start requires additional layers of equipment that end up adding complexity, additional points of failure, and unexpected vulnerabilities. Protecting the operation of any IoT network requires architectural standards for inter operability. Deployment of additional IoT devices should be restricted to ones that meet those standards as often as possible. It’s also important to have mechanisms to keep an inventory of IoT devices on your networks.
A second source of risk can be attributed to the point raised earlier: IoT devices are often built with minimal hardware capabilities to keep costs down. This means that standard enterprise security controls and even the most basic anti-virus software can’t be accommodated in the devices. The result is thousands of underpowered servers with no inherent security. The costs of this weakness were demonstrated in late 2016, when hackers compromised millions of internet-connected webcams and launched a Distributed Denial of Service (DDoS) attack, disrupting key DNS services and rendering some of the largest internet properties unavailable. That same destructive capability can be turned against any target, even corporate IoT devices targeting corporate assets. Since there is no way to secure IoT devices, they should never be directly accessible from the internet. Other security controls must be considered — starting with the network.
Another security risk inherent in currently available devices is rooted in the multipurpose nature of the equipment. Devices that are installed to measure the speed of a conveyor also contain a web server. Risk assessment of a read-only sensor is quite different from a web server. It’s difficult to determine exactly what’s vulnerable on IoT devices when thousands are being installed. To protect against these risks, devices must be subject to robust evaluations prior to deployment, or flexible and robust controls must be employed to anticipate the unexpected. The inventory of devices mentioned earlier is again important here.
With thousands (or millions) of IoT devices deployed, the value of information from any single one is limited. However, once that information is aggregated it begins to have value, and after analysis it can provide a competitive advantage. Also to be considered, then, are the risks to the information as it travels through new systems, gaining value along the way. The risks grow with the increasing value.
We’re in the early stages of the Internet of Things, so standards, default secure configurations, and the ability to remediate issues are still developing almost as quickly as the number of devices is growing. Through these vulnerable times, enterprises need to consider how to protect this fast-changing space without slowing its growth, or limiting its value to the business.