Organisations must now factor聽Internet of Things (IoT) into their continuity planning says Peter Groucutt, managing director of聽Databarracks.
The company has found that just over a quarter of organisations have specific policies in place designed to protect against IoT threats.
鈥淭he IoT device market is still relatively immature and somewhat of a Wild West,鈥 said Groucutt.
鈥淎ccording to industry experts, by 2020 there will be over 50 billion connected devices.
鈥淯nderstandably, manufacturers are racing to capitalise on the opportunity, but unfortunately, many are doing so at the expense of聽basic security measures.
鈥淥rganisations need to be aware of these risks, even if they don鈥檛 use any IoT devices 鈥 the growing number of connected devices globally means there is an increased risk of DDoS attacks through聽IoT botnets聽鈥 but our data suggests firms are ignoring these threats.
Research from the company鈥檚 annual Data Health Check survey revealed that only 13 per cent of businesses saw IoT threats as a major concern.
Additionally, just over a quarter of organisations (27 per cent) had set policies in place designed to protect against IoT threats.
Groucutt states that for organisations incorporating IoT devices into their IT infrastructure, there are several considerations.
鈥淔irstly, organisations should not rely on existing policies for evaluating the security of devices, but should develop new policies for IoT devices,鈥 he said.
鈥淨uestions to consider are what protocol does the device use? Can the IoT network be isolated from our other systems?
鈥淚s it connecting directly back to the data centre or to a hub 鈥 either in the cloud (hosted externally) or to an Edge server that you manage?
鈥淗ow do we log in and authenticate?聽 Can we integrate with our existing authentication products, and finally, what O/S is used and do we have competency?
鈥淪econdly, when factoring IoT into your continuity planning, you must define the risks and put in place the necessary controls to minimise them. A plan should be in place to deal with any disruptions.鈥
He goes on to explain that if a sensor governing a process on a production line is faulty or hacked it will need to be removed from the network while the problem is fixed.
Depending on the function of that sensor, the lesser impact might mean that some data monitoring is lost for a period but won鈥檛 necessarily halt operations on that production line.
If the sensor, however, is responsible for a more critical process, operations will be hit and contingencies will need to be in place to continue. In this instance, speed of resolution is vital to minimise the financial impact of any downtime.
鈥淭he unique challenge of IoT continuity is that the devices, by their nature, are remote and numerous,鈥 he said.
鈥淩emote access, and the ability to apply changes and fixes to multiple devices at once, makes them easier to manage, but that comes with a risk of compromise.
鈥淚f a remote fix cannot be carried out, an engineer will be required to physically visit the device or devices to address the issue.
鈥淎gain, due to the nature of IoT devices 鈥 that they are remote and numerous, that means significant cost for remediation.
鈥淭his might be an internal engineer physically traveling to reach a faulty device, or alternatively, enlisting the support of an external engineer, for example, the manufacturer of the device, to fix the problem.
鈥淲hile this remediation is taking place, a business must be able operate without that device. Returning to the example of sensor on a production line, is there an alternative, manual workaround? If not, whenever there is an issue, production will be brought to a halt until the problem is resolved.鈥