How channel firms can exploit a silver lining to shadow IoT

A concept visualising IoT security

The Internet of Things (IoT) is changing how businesses across the globe work. When harnessed effectively it can enhance productivity, cut costs, drive new revenue streams, and bring firms closer to customers.

But in the rush to tap into technological leaps, as with many aspects of digital transformation, organisations can leave themselves exposed to security risks. This threat becomes deeper when teams purchase and connect new IoT endpoints to the corporate network without the knowledge of the IT department.

Shadow IT combined with IoT poses a recipe for cyber security disaster, but the channel can help; both by providing expert guidance, and the tools needed for IT leaders to gain greater visibility and control over their smart endpoints.

A new spin on a time-old problem

IoT adoption continues to grow, with research claiming the number of connected devices will explode from 6.3 billion in 2016 to more than 25 billion by 2025. More than half of new devices deployed will be classed as 'business' devices, but it's increasingly difficult to separate 'business' from 'consumer' products in IoT.

Of course, Industrial IoT (IIoT) products are specifically designed to be used by the likes of manufacturers and transport businesses. They can help with everything from monitoring water levels, to running automated factory floor systems and managing vehicle fleets.

But there is also a potentially large number of smart devices running on a corporate network either brought in by employees from home or by managers. Think 'BYOD 2.0'. These can include smart kitchen and home appliances such as kettles, toasters and TVs, or even cameras.

This represents a new spin on the time-old problem of shadow IT: unsanctioned and potentially unsecured devices expanding the corporate attack surface without any oversight from the IT department. It mirrors warnings from a few years ago of business unit managers migrating corporate data into insecure public cloud accounts. Of course, the very nature of shadow IoT means it's impossible to quantify the threat, but that doesn't mean it isn't a major challenge to corporate security.

The scale of IoT threats is rising

Unprotected endpoints represent an increased security threat on several fronts. For instance, they could be compromised to allow "stepping stone" access to corporate networks and enable data-stealing raids. Or they could be conscripted into botnets to launch DDoS attacks, crypto-mining, click fraud and more. The Mirai attacks of 2016 showed us just how easy it is to do this. IoT endpoints could also theoretically be targeted with sabotage to disrupt business processes and can be compromised to spy on staff.

With Symantec reporting a 600% rise in IoT attacks last year, these threats are far from theoretical. Another survey meanwhile reported organisations suffered on average three attacks on connected devices over the previous 12 months. The same research found a third (33%) of organisations don't know who is responsible for IoT security, while only 38% said they involved security teams in choosing IIoT kit.

The potential impact of a serious incident is well known, spanning financial and reputational damage, as well as large regulatory fines under GDPR, and the NIS Directive which applies to critical infrastructure industries.

The problem with shadow IoT is compounded by the fact that responsibility for these new systems in is blurred, sitting at an intersection of IT and OT (operational technology), falling occasionally between the two completely. Worse still, if OT managers are left in charge of IoT, their approach to security will be different from their IT counterparts - which can lead to reluctance to take systems offline to apply vital patches.

The silver lining for channel firms

The plus side is that this offers channel players a great opportunity to step into the role of trusted advisors. A skills gap in customer-facing organisations can not only lead to shadow IoT but poor security practice. This might include lack of a regular patch update mechanism, default passwords running on products, no network segmentation, and so on.

Channel partners can be on hand to offer vital advice that improves an organisation's basic cybersecurity hygiene in this area, also offering services like pen testing to identify security issues in smart endpoints. They can even help illuminate the darkest shadows of corporate IT to find any devices on the network that shouldn't be there.

Once organisations have got visibility and are following basic best practices there's an additional opportunity to sell a layered security message to keep IoT systems protected from advanced threats. Elements including IPS, firewalls, identity and access management and many more should be on the radar for channel resellers. We don't claim to hold all the answers but there's certainly an opportunity to add value and forge closer ties with your customers as the race for digital transformation intensifies.

David Ellis is VP for security and mobility solutions for Europe at Tech Data