Shadow IoT is a threat to your business. Here’s how to deal with it

By Naveen Joshi – Director at Allerin

Leveraging IoT-enabled devices within companies without the IT department’s knowledge can attract hackers. Organizations should, therefore, defend against the threats of shadow IoT by enforcing stringent policies and controlling access rights.

We live in the digital era. The era that promotes the use of new-age technologies to transform the most ambitious business visions into reality. Organizations have witnessed workflow optimization, efficiency, and accuracy with the help of digital technologies. One such incredible technology that has opened new doors of business opportunities, benefitting companies with reduced time to market and higher profitability, is IoT. IoT is already helping companies to meet the inflated consumer expectations, thereby improving customer satisfaction levels.

Organizations have also leveraged IoT-powered devices at their workplaces for achieving performance excellence, asset utilization, and cost savings. This includes BYOD as well. BYOD has been a workplace trend for quite some time now, where employees are given the freedom to get their personal devices to the office. The enterprise data lies in the cloud, which makes it easier for employees to access the business information whenever needed. With the BYOD policy and cloud-based mobile apps coming into the picture, employees get an opportunity to work remotely as they wish. By instituting a BYOD policy, the productivity and work efficiency levels of employees will skyrocket, enabling organizations to meet their business objectives. While it’s great to see the benefits, organizations should also be mindful of the risks. BYOD can actually provide hackers a great chance to easily gain access to centralized control systems and steal digital assets.

It is true that organizations can keep track of such devices, carry out security practices, and tighten their security walls. But what if employees bring and use their devices without the organization’s knowledge? This is exactly what shadow IoT is. If this happens, organizations will undoubtedly see dire consequences. Hence, organizations should defend against the threats of shadow IoT by executing the necessary security measures.

Prevalence of shadow IoT

There are myriad IoT enabled devices already available in the market. A report by IHS Markit, a London-based global information provider, states that the number of connected devices will hit 125 billion by the year 2030. This fact indicates how pervasive IoT devices are today. With the growing use, the threats of shadow IoT has also increased. Another report from 802 Secure, a wireless network security solutions and services firm, showcases how prevalent this issue is. Mike Raggo, who is the Chief Security and Threat Research Officer at 802 Secure, says “While most organizations prepare for IoT enablement, our threat intelligence shows that most companies are still vulnerable to 10-year-old wireless vulnerabilities.” The report highlights that:

  • 90% of the organizations had Shadow IoT/IIoT wireless networks.
  • New wireless USB thumb drives and spy cameras are rising threats of shadow threats.
  • Companies witness at least 1 wireless attack every week.

Threats of shadow IoT

Remember the 2012 cyberattack, where criminals managed to intrude into the thermostats of a state government facility and a manufacturing plant in New Jersey? And also, the largest DDoS attack that was launched on service provider Dyn using an IoT botnet in the year 2016? These are how hackers have already managed to penetrate into the IoT devices. As IoT devices are most vulnerable to cyber attacks, organizations impose strong security controls, which enables enhanced protection. But, even though IoT devices are strongly secured, criminals find an innovative way to enter the network. Now imagine the threats to IoT devices that are not powered with enterprise-grade security features.

With the help of mobile management applications, companies can keep track of all IoT devices being used by them. But sadly, there are many systems that do not hold enough security controls. According to the researchers from the University of Michigan and the Brazil’s Federal University of Pernambuco, smart devices pose a terrible threat through their apps. The bad actors can easily spot and sneak in a weak, loosely secured point. Once they enter the network perimeter, carrying out criminal activities becomes easier for them. They can then inject malicious code onto the network, carry out phishing, or even try different automated cyberattacks. In addition, vital information about employees, business, and also clients can be accessed by perpetrators easily. Threats of shadow IoT can be devastating, which can cost companies by bringing down their reputation and identity. Hence, appropriate measures should be mandatorily taken by organizations to address the issue of shadow IoT by ensuring that all the devices are safely operated while not compromising on security.

Steps to mitigate the threats of shadow IoT

As IoT devices are increasingly been used by hackers as an entry point to intrude and attack larger network systems, security has become an essential consideration for businesses. Cybersecurity specialists are working day and night to get rid of the hacker threat, no doubt. But along with security measures, companies should ensure that the following steps are mandatorily considered:

No alt text provided for this image

Educate your employees about the threats of shadow IoT

Not every employee in your organization is an IT specialist. And not everyone is aware of the consequences of hacker attacks, especially the non-technical teams. Employees, working in the non-IT department, may unknowingly use their personal devices without informing the cybersecurity team, which can then lead to negative consequences. Organizations should, therefore, take this into consideration without fail. Sessions should be conducted where every employee is told about the malicious actors, their intent, and their actions. Concepts on shadow IoT should be explained well.

Let employees officially add their devices to the portal

Why would employees use their devices without the IT department’s knowledge? Well, there could be two possible reasons. First, they just don’t wish to go through the long procedure of adding and securing their devices. Second, the request to use their devices was rejected by the IT team. Organizations can easily deal with this issue. Employees should be given the access rights to add information on their devices to the inventory of authorized systems. Further, the IT team should take care of the security of the added systems. Following this procedure will help companies to reduce the threats of shadow IoT substantially.

Monitor devices for security regularly

Organizations should keep a keen eye on the existing devices and also the newly added ones. They should monitor their networks to ensure that all the systems have tight security controls and are tamper-free. It is rightly said that employees are the weakest link in any organization’s defense. Their negligence or poor knowledge of cybersecurity risks can aid cyber attacks. Hence, organizations should mandatorily give timely heads-up to their staff. Along with the existing cybersecurity measures and the steps shared above, companies should also enforce stringent laws that ensure the official and legitimate use of IoT devices at work. Strict actions should be taken if employees fail to abide by the rules. This way, organizations can enforce good security hygiene, thereby making a criminal’s job difficult.