Internet of Things (IoT) devices have proliferated in recent years with more connected devices hitting the consumer, commercial, and industrial markets. Smart TVs, smart speakers, smart appliances, thermostats, light switches, security systems, health monitors, medical devices–these are just a few of the many types of internet-connected devices that have arisen.

But the greater ubiquity of IoT devices has naturally aroused the interest of cybercriminals, who are actively seeking to compromise them, plant malware, and steal information. In a report released on Thursday, Deloitte shares several ways that organizations can better secure their IoT devices.

SEE: Internet of Things policy (TechRepublic Premium)

With the number of IoT devices set to jump well beyond 41 billion by 2025 according to research from IDC, governments are already getting involved in the effort to secure them. California is set to launch a new Internet of Things Security Law on January 1, 2020, which will require that all IoT devices be outfitted with reasonable security protection. As such, organizations should already be prepping ways to protect their connected devices. Companies that deploy IoT devices in their environments should beef up their security measures, while manufacturers that make connected products should ensure that they’re secure by design.

“The risk of compromise to a connected device is too great to ignore and often too late to reactively respond to,” Sean Peasley, partner for Deloitte & Touche LLP and IoT security leader for Deloitte cyber risk services, said in a press release. “Organizations should adopt a proactive, secure-by-design approach while strategically and intentionally working to monitor and patch outdated legacy equipment, software, and infrastructure.”

Five best practices

To help manufacturers, businesses, and other organizations better secure their IoT devices, Deloitte offers the following five best practices:

  1. Take note of every network endpoint added. Every endpoint added to your network creates more areas through which cybercriminals can attack. Deloitte advises organizations to bring as much of their endpoint footprint as possible under their security management. Spending on IoT endpoint security is expected to rise to more than $630 million in 2021, according to Gartner analysts. Once more of these connected devices are properly managed, integrating security tools can become a more effective process.
  2. Align operational technology, IT, and security. In addition to deploying IoT devices, organizations are managing digital transformation projects at the same time. But less than 10% of cyber budgets are allocated to these efforts, according to a “Deloitte Future of Cyber” study. To successfully achieve their goals with their IoT initiatives, companies need to understand the enterprise and cyber risks, create a plan to prioritize and mitigate those risks, and then align the process across all the major stakeholders, including operational technology, IT, and cybersecurity. “IoT spans operational environments as much as it includes wearables, connected cars, and products.” Peasley said. “Organizations should proactively plan for how to identify, track, patch, and remediate around how it all could impact their organizations and ecosystems.”
  3. Know the players in your ecosystem. The interconnectivity of third-party hardware, software, or services could be the source of a security breach. Therefore, organizations need to consider how a connected device interacts with these third parties. Contracts with third, fourth, and fifth parties should address security updates and concerns. Organizations should also set up a third-party risk management program to evaluate the cyber risks of their third-party and supply chain partners.
  4. Employ artificial intelligence and machine learning to detect anomalies that humans cannot. Artificial intelligence for IT operations (AIOps) has grown from an emerging category into a necessity for IT. AIOps platforms are uniquely suited for establishing a baseline for normal behavior and for detecting subtle deviations, anomalies, and trends. Organizations should take a secure by design approach in tandem with an AIOps approach to prevent and identify cyber attacks.
  5. Conduct vulnerability assessments on devices. As cyberattacks continue to grow, organizations should ensure that their connected devices — and the environment in which they’re deployed — have been designed, built, and implemented with security in mind. Whether through basic testing or a bug bounty program, testing can provide assurance of the security protections in place for connected devices.

Image: iStock/Zephyr18