IoT and Shadow IT: Dangerous Bedfellows?
The influx of personal internet-of-things (IoT) devices has led to more machines connecting to enterprise networks outside the purview of the IT department. That’s according to a new study.
Infoblox says that 35 percent of IT leaders reported more than 5,000 non-business devices residing on their network every day. The study, which interviewed companies in the U.S., U.K. and Germany, wrote that these “shadow personal devices” could be the undoing of security teams.
The numerous connected IoT devices could become a convenient entry point for data exfiltration, DDoS attacks, botnets and ransomware, according to Infoblox.
“Due to the poor security levels of many consumer and IoT devices, there is a very real threat posed by those operating under the radar of organizations’ traditional security policies,” said Gary Cox, technology director of Western Europe for Infoblox. “These devices present a weak entry point for cybercriminals into the network, and a serious security risk to the company.”
Fitness trackers like Fitbits were the most common device on enterprise networks, at 49 percent, followed by digital assistants like Alexa (47 percent), smart TVs (46 percent), smart kitchen devices (33 percent) and video-game consoles (30 percent).
The study also found that social media use is prevalent among employees – 39 percent used it while connected to the enterprise network – leaving them susceptible to phishing attacks.
NanoVMs founder Ian Eyberg tells Channel Futures that shady social-media applications and personal IoT devices in the workplace could surreptitiously be gathering data from the network.
“Those off-market devices — they connect to the network internally, and now they can access any of those internal computers,” Eyberg said. “Maybe they find a printer that’s not locked down, then they jump on the printer and start scanning everything that gets printed.”
Another problem is that IT teams and their employees seem to be on different pages when it comes to best practices. Infoblox found that 82 percent of companies have a security policy for IoT devices, but only 24 percent of U.S. and U.K. employees were aware of any such policy. This flies in the face of the 88 percent of IT leader respondents who said their security policy is effective.
And even if there is a policy that’s widely known, Eyberg cautions risk officers from seeing a policy as a silver bullet.
“It’s one thing to set up MDM (mobile device management) and regulate what people might do if they’re connected via smartphone,” he said. “In the case of your fitbit or wearable, it’s a little bit harder to regulate. And then you’ve just got employees who say, ‘Screw it; I don’t care.'”
Those people who might even uninstall their MDM are the ones the security team will have to track down in a “time consuming and aggravating” experience.
Eyberg advises businesses not simply to block devices and websites, but to “improve the security posture of the network itself.” The onus ought to fall on the business, and not on the employees.
“Networks need to be a front line of defense; second only to having good end-user education and appropriate security policies,” Cox said. “Gaining full visibility into all connected devices, whether on premise[s] or while roaming, as well as using intelligent DNS solutions to detect anomalous and potentially malicious communications to and from the network, can help security teams detect and stop cybercriminals in their tracks.”
Read the full Infoblox report, “What is lurking on your network: Exposing the threat of shadow devices.”