A salesperson tried to sell me an internet-enabled TV for my office the other day.
I asked if he was bundling a security event and incident management appliance or a unified security management server along with his television so that his device didn’t compromise my network. The salesperson asked me what I meant… so I hung up on him. No thanks.
Network-aware appliances – the lion’s share of devices that make up the internet of things – sound modern and safe. In reality, these non-PC devices (like a refrigerator that e-mails you when you run low on bacon) are poxy little saboteurs. They’re extremely simple PCs that wait cheerfully to give some clever baddie a safe haven from which to pursue greater mischief.
My argument is that IoT nodes introduce vulnerabilities to the network they’re installed on because they’re inherently insecure. The OS on most non-PC devices are bare-bones affairs, designed for minimum functionality, often with no thought to integrating into a managed network. Unlike a complex PC, phone, or tablet, IoT devices usually aren’t engineered with hardening and monitoring in mind. That’s why I argue that the market conditions aren’t right – yet – to introduce IoT into businesses too small to feature a dedicated infosec department.
A business that is large enough has both the resources and the remit to integrate IoT components into the network under controlled conditions. Larger companies feature defensive tools like centralised anti-virus management, patch management servers, and intrusion detection systems. They also employ trained operators to monitor their network traffic. These professionals know how to recognise suspicious behaviour, and have the authority to swiftly shut down any device that starts acting squiffy.
I’ve consulted to a bunch of US-based small businesses that understood the need for security, but couldn’t justify stretching the payroll. In 88 per cent of the SOHO environments with 20 or fewer users I inspected between 2001 and 2014, the single most common network defence capability I found was a home-grade broadband router with a built-in firewall – usually with no one monitoring it. I understand why – when margins are razor thin, the resources just aren’t there to procure or to operate enterprise-grade tools.
That’s why the IoT should be a slow sell for small businesses over the next few years: every new addressable device introduced to an office network is another potential pivot point for an attacker. An IoT device may seem like a simple TV set or refrigerator, but an attacker views those nodes as weak, unmonitored, easy-to-compromise targets. Business owners must realise they’re not positioned to accept the risk until they start investing in infosec.
Unfortunately, the glamour and allure of IoT toys will likely prove captivating to people who don’t realise they’re buying wolves masquerading as gerbils. We’ll see a spate of network compromises make the news before the network security sector players realise that they have a golden opportunity (and a compelling need) to take their enterprise toys down-market.
By 2018, I think we’ll start to see the top security vendors roll out simpler, significantly less expensive devices to the SOHO community, the same way they brought us reasonably effective router/firewall capability in £100 appliances back in the early 2000s. Then – and only then – will it start being safe for small businesses to start connecting internet-enabled TV sets and bidets to their networks. Until then, their best choice is to either to do without, or hire full-time infosec boffins.