enterprise Archives - Security IT Summit | Forum Events Ltd
Posts Tagged :

enterprise

To succeed, enterprise cybersecurity needs IoT scale

960 640 Guest Post

By Nigel Thompson, VP Product Marketing at BlackBerry

There are few things in cybersecurity that aren’t up for endless debate. Yet one thing that is universally agreed upon is that anything with an Internet address can and will be attacked. We’ve certainly witnessed this happening on a large scale with the proliferation of Internet of things (IoT) devices in recent years, and we’re likely to see the scale and complexity of these attacks escalate in the years ahead. And due to their newness on the security scene, IoT devices will cause large headaches for enterprise security during those years.

IoT, on the whole, remains a misunderstood risk. When many consider IoT security, what comes to mind first are usually “smart home” automation systems, such as thermostats, lights, doorbells, speakers, and other consumer devices. One concerning case last year saw cyber attackers take over a family’s smart home devices to blast music at loud volumes, talk to the couple through a camera in their kitchen, and crank their thermostat to 90 degrees. In cases like these, such attacks could arguably be considered more of a nuisance than a life-endangering event.

But once you step outside the home, a more profound and immediate danger lies in wait, in the form of industrial, or enterprise IoT. This IoT includes connected devices found in manufacturing, the food supply chain, healthcare, and building automation, among other verticals. Of course, security events involving consumer IoT devices are bad enough, but such attacks hitting enterprise systems and critical infrastructure can be devastating, or in the case of medical devices, life-threatening. For example, at a past DEF CON security conference, Jay Radcliffe, an ethical hacker and diabetic, demonstrated that it wasn’t that difficult to take remote control of an insulin pump and deliver a lethal dose to a patient.

According to a recently published report from research and consulting firm Frost and Sullivan, by 2025 there will be 67 billion new connected devices in the world, up from 24 billion in 2019. Enterprises in every industry need be prepared for that eventuality. Because the more Internet-connected devices come online, the larger the potential attack surface of the organisation. In the years ahead, that attack surface is going to continue to expand exponentially.

The Threats to Enterprise IoT Are Real

The threats due to enterprise IoT are significant and should not be underestimated. These connected devices generate an enormous amount of highly detailed data. Should this data be stolen, or its network flow disrupted through a denial of service attack or a targeted ransomware strike, the results could be highly destructive to business reputation and operational availability. Also, the data within supply chains that detail operational demands, production data and more will always have value to competitors.

IoT security is a challenge across verticals. According to Frost and Sullivan, the factory and industrial automation market will have nearly 10.8 million connected devices by 2025, while building automation will reach 30 million. Other verticals expecting substantial growth, according to the report, include connected cars and telematics, retail, healthcare and medical devices, and enterprise-issued and bring your own (BYO) devices.

“This will substantially increase the threat surface, which is reflected in the rapidly expanding threat landscape,” the firm wrote in their report. The total number of devices include recognisable endpoints, such as phones and tablets, as well as devices across nearly every other industry.

Of course, with these device deployments, there is great opportunity to improve operational efficiency, improve the lifecycle management of capital assets, provide real-time insight into the enterprise happenings, and engage with customers in new ways. But the security concerns are also real. The challenge is to manage the security risks so that these benefits can be realised, and the risks minimised.

Attain Control and Visibility Across All Endpoints

There are a number of steps that can be taken to ensure adequate IoT security. One step every organisation can take right away is to procure devices from manufacturers that develop their products with security in mind – baking security in from the ground up, rather than bolting it on afterwards. As part of that effort, organisations should make sure to have their security teams test any new hardware and software for security flaws and ensure the devices can be managed just like other endpoints.

Of course, while it would be ideal that all enterprise IoT devices ship securely and without flaws, that’s not going to be the reality. Design mistakes will be made over the course of bringing even the most secure devices to market, and most enterprises will similarly make deployment and configuration mistakes that create detrimental security ramifications. For instance, according to Frost and Sullivan, effective IoT security is complicated by how different business departments will independently choose to manage and secure their IoT devices in different ways. All organisations must be aware of this, and should prepare to effectively track, secure, and manage all newly connected devices across the enterprise in a uniform way.

One of the most important strategies to success will be not treating IoT devices as a discrete security challenge, but as part of the organisation’s overall endpoint security strategy. If security teams are to have the visibility and control they need, endpoint and IoT security management must be unified. That includes devices that run any operating system, such as Android™, Chrome™, Windows®, and macOS®. With fewer consoles, or ideally a single console, when managing all endpoints, security teams will have all the information they need to properly identify security threats and respond to potential breaches, and to more intelligently defend systems and data.

Enterprises can’t afford to wait long to centralise their IoT and endpoint security. The longer they wait, the harder it’s going to be to successfully consolidate, especially as IoT deployments accelerate and there are ever more devices on networks, for example, as a result of the explosion of remote working caused by the recent COVID-19 pandemic. Without a centralised console, decentralised information about security events — including attacks across domains — will be lost or overlooked, and teams will be forced to try to manually piece together their responses.

Here are a number of key attributes security teams should look for from their providers when consolidating IoT and endpoint security:

  • The ability to centrally manage users, data files, devices as well as apps
  • Compatibility with most leading endpoint operating systems
  • Ability to manage security configurations for things like access credentials
  • The ability to track usage patterns through comprehensive analytics
  • The ability to deploy across cloud and on-premises environments

The swift pace of IoT has created an issue of scale “where the size of the environment of endpoints, data, and threats is making the job of the CIO and CISO unmanageable,” as the Frost and Sullivan analysts put it. While that’s accurate, it doesn’t have to be true everywhere. By taking the necessary steps today to consolidate endpoint security solutions, enterprises can make certain that their security efforts reach IoT scale.

Petition launched for mandatory IT security levels in business

960 640 Stuart O'Brien

A petition has been launched urging the Government to establish a mandatory minimum level of IT security for all businesses.

Cyber crime among UK businesses no costs over £21 billion each year. The petition, launched by Evaris, aims to make the currently optional National Cyber Security Centre’s (NCSC) Cyber Essentials Scheme compulsory for businesses to protect them in the event of a cyber attack and reduce the cost of cyber crime to the UK economy, as well as the public.

According to the recent Cyber Security Breaches Survey, less than three in 10 (27 percent) businesses have a formal cyber security policy in place, while large companies reported an average of 12 attacks per year that they knew about. Six attacks per year were reported by medium-sized companies.

As a result, Evaris is calling for all businesses to take steps to prevent such attacks from occurring.

The petition aims to ensure small organisations with up to 50 employees and medium-sized firms with between 51 and 250 staff should meet at least the criteria for certification for the Cyber Essentials scheme. Large businesses (those with more than 250 employees) should at least meet the criteria for the Cyber Essentials Plus scheme.

Terry Saliba, Solutions Architect at Evaris, said: “Data shows that more than four in ten businesses experienced a cyber security breach in the past 12 months, and these are becoming increasingly sophisticated and costly for businesses across all industries.

“Unfortunately, we still see that many firms are failing to understand the extent of this issue, and so we believe this petition is vital for establishing a compulsory baseline adhered to by all businesses.

“We’re extremely pleased to see our campaign to make Cyber Essentials compulsory for all companies has gained the support of industry bodies. These organisations see the extent of the damage caused by a lack of IT security and training on a daily basis.”

Vince Warrington, CEO of Protective Intelligence, said: “I’m supporting the petition because I’ve had to deal with the consequences of cyber attacks and seen the destruction they can cause.

“At the moment, far too many companies still see cyber security as a ‘nice to have’ rather than an essential part of everyday business, or feel they don’t understand what they need to do to protect themselves. But cyber attacks are not going to simply disappear – the criminals behind them will target your business if you haven’t taken even the most basic steps to keep them out.

“By driving all companies to adopt Cyber Essentials the government can not only create a good level of basic cyber hygiene across UK Plc, but also create a regular flow of work small cyber security businesses can themselves bring onboard new staff and train them up, thus reducing the predicted shortfall in qualified cyber security experts that the country will need in the decades to come.”

In order to be certified by the Cyber Essentials Scheme, applicants must, as a minimum:
· Use a firewall to secure their internet connection
· Choose the most secure settings for their devices and software
· Control who has access to data and services
· Have protection against viruses and other malware
· Keep devices and software up to date

Saliba continued: “We would urge all businesses to sign our petition and seek Cyber Essentials accreditation to ensure they are protected against the increasing threat of cyber attack. It is time for action to be taken to help businesses remain protected from infiltration.”

Image by Stefan Coders from Pixabay