Every business has hundreds, if not thousands, of Internet-connected devices. While this Internet of Things, or IoT, helps companies operate more effectively, it also presents a far bigger security risk than many businesses realize.
Consider: Today’s offices are full of internet-enabled devices—from computers and printers to elevators and security cameras—all collecting vast amounts of data. Add to that the number of people coming and going each day with their own connected devices, such as laptops, mobile phones and tablets. All these devices—with access to both personal and corporate data—are usually protected by individual passwords that are used across a variety of platforms.
In this kind of environment, hackers can easily steal confidential business and personal data—and usually long before the company even realizes it.
Read our full report on locking down IoT security.
What to do? First, businesses need to understand that limiting risk goes far beyond simply protecting the devices themselves. To have effective IoT security, companies need to establish guidelines for how these devices are being used and the entire system in which they operate.
In most cases, that means your company’s current cybersecurity measures aren’t enough. A broader approach is needed. Here are some tips to help get you started that fall into three groups.
Prioritize IoT security. IoT is a bigger business issue than it is a technology issue. Boards and senior leaders should be highly engaged on IoT security. Senior leaders need to play a role as change champions on cybersecurity.
Define everyone’s responsibilities. Develop a policy that illustrates everyone’s role in cybersecurity. Users should be aware of risks and precautions required, such as when an employee uses a mobile phone to access confidential data in an airport.
Constantly revise security policies. Revisit your technology and business operations on a regular basis to re-evaluate cyber risk. Technology is changing so rapidly that you need to keep your security policies up to date.
Decide what devices you need. It’s important to understand how connected devices fit into your overall business strategy. Focus on what devices are being used, what benefits they provide and the potential risks they create.
Don’t forget basic devices. Most offices have microcomputers that control printers. In some cases, these are adapted from low-cost consumer computers. Employees can send data to the printer through wireless connections, which is vulnerable to attack.
Include outside devices. Many people use their own connected devices to work both inside and outside the office. Make sure your IT department has established policies to control and protect your network when these devices are being used.
Manage third-party access. Some firms today use contracts requiring suppliers and service providers to protect confidential information and to demonstrate adequate cybersecurity within their own organization.
Limit each device’s access. If the device is a sensor to detect customer traffic, for example, it should not have access to other systems or data. In addition, security controls, such as access and privilege, should be monitored in case a hacker gets into the device and tries to escalate access.
Create separate networks. Create discrete networks within the company that have additional monitoring and restricted access. Guests and business partners, for instance, could log on to a different Wi-Fi network than employees.
Vet everyone involved. IoT typically involves being connected with other services in the cloud. Adopting IoT therefore requires a thorough vetting of the various participants throughout the network.
As you can see, the IoT network presents a number of security risks. But if companies look beyond the devices themselves, they can take steps to protect the entire network from breaches.
Read our full report on locking down your business’ IoT security.
© 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. The KPMG name and logo are registered trademarks or trademarks of KPMG International. The information contained herein is of a general nature and is not intended to address the specific circumstances of any particular individual or entity. Some of the services or offerings provided by KPMG LLP are not permissible for its audit clients or affiliates.