What is This Whole IoT Thing? – Part 2
In our last blog, we defined IoT and talked a bit about its history. In this post, we will tie that together and talk about the pros and cons of using IoT along with some of the risks and concerns to be aware of when evaluating and/or using IoT in your business.
While IoT provides some amazing capacities, it also raises some interesting questions and concerns that should not be ignored. The first is security. There are many aspects to this but I will boil it down to two components:
- Network Security: IoT devices need a way to connect to the Internet and this is usually done by connecting via Bluetooth and WiFi. If you place your IoT devices on the same network as your secure business data, you end up with devices that offer little to no security controls connecting over the same network where you house and access sensitive data. If this is not properly managed, this could pose significant risks. (This is the root of how Target got hacked a few years ago. The HVAC company’s monitoring tools got hacked and that gave the hackers a way into Target’s network.)
- Data Security: While we would hope that IoT providers would provide solid security, we have found that companies are rapidly evolving in this world and it is easy to overlook security or just fail to test properly. One, obvious, way that data security can be breached is if the data that IoT devices collect is compromised. The second way, that could be more impactful, is a hacker sends fake control messages to your IoT devices. I actually had this happen to a thermostat that we had…a hacker changed the temperature setting on it.
The network security element can be relatively easy to manage, simply by creating a segmented, “guest” wireless network and restricting access to your primary wireless network. This tends to be a great step in segmenting untrusted devices (IoT, visitors, employee’s personal cell phones, etc.) from trusted devices and critical data.
I was attending a cybersecurity summit earlier this year and the topic of IoT came up there. The keynote speaker simply said, outright, that it is impossible to appropriately secure IoT devices so we must treat them all as untrusted, unsecure, devices. This is critical to understand as many IoT devices are rapidly developed with functionality in mind over security. (Functionality and security usually have an inverse relationship. As one goes up, the other goes down.) Because we do not know that we can trust the device and because we have little to no control over how the device performs, we have to treat it as insecure from a network security perspective.
The data security part is a bit harder as you are, typically, talking about storing your data in the cloud, on someone else’s server. (If you want to read more about the Cloud and security, please check out my previous blogs on Demystifying the Cloud Part 1 and Part 2.) If you are just collecting workout data, you may just decide that you don’t care if your data gets hacked. This becomes more critical, however, when you are storing and managing more critical devices from medical devices to business critical devices. In these cases, it is important to clearly understand what the cloud does and doesn’t do. Usually, however, their liability will be significantly limited by their contract so you may want to carry extra cybersecurity insurance or you may opt to not push the collected data to the cloud. A competent IT professional (I’d like to think we are competent in this area) can help you make this evaluation and understand the pros and cons.
If you are looking at a broader IoT deployment where you want to collect data as an integral part of your business, another consideration may be to create an isolated network, not just for the IoT devices but also for the server(s) that collect and process that data. This deeper isolation would definitely give you a lot more control but can also come at an increased cost. As stated above, you probably want to bring in a competent IT professional to help you in evaluating not just the technology but the business pros and cons to different approaches.
As a child, one piece of advice that I received stands out when talking about IoT…With great power comes great responsibility. The IoT world is amazing and powerful, full of possibilities that many haven’t even imagined yet. However, with that, comes responsibility to evaluate the risks and make an educated decision on what you want to do. It is my hope that this blog post has helped you in that direction. As always, if I can do anything to help you, please do not hesitate to reach out by clicking HERE.