Intelligent CISO Issue 18 | Page 38

FEATURE tools onto IoT devices and you can begin to appreciate just how hard it is for security teams to secure their organisation’s IoT deployments using traditional approaches. Why do enterprises need to care about IoT risks? SCOTT SCOTT GORDON, GORDON, (CISSP) (CISSP) CMO, CMO, PULSE PULSE SECURE SECURE To put it simply – enterprises need to care about IoT risks because they need to care about security risks. IoT devices are widely known to be replete with vulnerabilities and are often leveraged as the weakest link in an otherwise secure network. Despite a slow start, IoT regulation is being drafted around the world and the non-compliant will not fare well when it finally hits. they weave their way closer to the heart of our IT systems, they become ever more capable of being the weak link in an otherwise secure ecosystem. Much of IoT’s insecurity stems from careless and rushed development on the part of manufacturers. They are not designed with security in mind and software updates are sparse. Enterprises need to recognise that fact if they don’t want to fall prey to IoT manufacturers’ bad choices. The British government has recently announced an IoT security certification scheme which informs potential buyers as to the security of their potential purchases. MATT WALMSLEY, HEAD OF EMEA MARKETING AT VECTRA There are as many potential attacks as there are IoT devices – they could range from a hacked fridge, to connected insulin pumps that could harm or kill patients. These aren’t ‘what ifs’ either but have been seen in the wild frequently. A great example is a recent casino hack: attackers accessed the network through a connected aquarium thermometer and actually stole customer data. Even if enterprises don’t particularly care, regulators do. Despite a slow start, IoT regulation is being drafted around the world and the non-compliant will not fare well when it finally hits. IoT is leveraged to stay competitive amidst the Digital Transformation. Indeed, its potential is tremendously exciting for enterprises. But as we rely more and more on such devices and 38 Organisations must acknowledge that, to reap the benefits of the IoT, they must accept and manage the associated security risk. IoT is bringing more devices onto the network than ever, but these devices very rarely get patches or updates. This means that vulnerabilities can be left unaddressed for months or even years and this lack of security- hardness leaves them vulnerable to attack and exploitation. Without the ability to run client-based end- point security solutions – and unprotected by legacy signature-based defences – these devices are ripe to be breached. Take the example of the Mirai IoT botnet that surreptitiously took control of hordes of IP cameras and used them to enact a DDOS attack that brought down Amazon, Spotify, Twitter and other websites. What is the best way to ensure a robust defence against attacks via IoT? MATT WALMSLEY, HEAD OF EMEA MARKETING AT VECTRA It’s no easy feat to secure every single device from outside attack but there are measures organisations can take to protect themselves. The emphasis must shift from threat prevention to threat detection – where network traffic is constantly tracked and monitored for suspicious activity. Machine Learning and Artificial Intelligence have an important part to play here and can accelerate and increase the accuracy of security Issue 18 | www.intelligentciso.com