The use and adoption of IoT devices is continuing to grow at break-neck speed. In fact, IHS Markit recently predicted that the number of IoT devices will balloon to 125 billion by 2030. Clearly, the advantages of IoT devices are well-understood: they are more capable, more efficient, and more reliable than their predecessors. But as IoT devices flood the office environment, businesses are failing to understand the dangers they pose.
Connected devices can be a threat to a company’s cybersecurity. While some are equipped with endpoint security – which protects them against cyber threats – many lack built-in protection. Unsecured devices create a conduit to the outside world, which malicious hackers are hungry to exploit to access private data. As the number of unsecured devices connected to the office network continues to soar, so will the risk of a major attack.
Businesses of all sizes must implement company-wide changes to protect their data and reputation in the IoT era. Here are four changes they must make:
- Protect Before Connecting
A device should never be connected to the corporate network before it has been properly secured and configured. Understandably, there’s huge temptation and pressure to get devices online as quickly as possible. But putting the cart before the horse has serious security implications.
An unconfigured device is vulnerable to a range of exploitations. For example, it may be pre-programmed with a generic default password, which can be found online. To ensure all devices are correctly configured, companies should centralize device management. This means tasking a single team of internal or external IT experts with updating, configuring, monitoring and maintaining all company devices.
This coordinated approach ensures all devices are properly configured and operating correctly. It also allows for more sensitive detection of dangerous or malicious activity within the device fleet.
- Use Device-as-a-Service Arrangements
It’s difficult to build an IT department with expertise in every connected device. When the IoT era brings wireless connectivity to light bulbs and coffee machines, building this level of expertise in-house will be next to impossible. Device-as-a-Service (DaaS) arrangements offer a solution.
In the DaaS model, device deployment, management and maintenance are outsourced to an external provider, staffed by product-specific experts. Knowing devices inside and out, DaaS specialists are well equipped to spot and solve vulnerabilities.
DaaS arrangements offer several other benefits. Devices are leased instead of owned, meaning more frequent hardware upgrades and the flexibility to quickly alter device inventory based on workload. DaaS also reduces the burden on the inhouse IT department and converts device investment from CAPEX to OPEX, creating cost stability. The DaaS contractor is also charged with end-of-life recycling, making the product lifecycle more environmentally friendly.
- Prioritize Cybersecurity in Procurement Decisions
In working to fulfill customer needs, it has become clear how rarely IT departments are involved in the device procurement process. This lack of connected thinking means cost-effectiveness becomes the priority, and cybersecurity becomes an afterthought.
Companies should restructure their procurement processes to involve IT professionals, who will make cybersecurity a key consideration. This involves asking CIOs and inhouse IT experts to help set the parameters for procurement and allowing them to have a say in the final purchase decision. The new parameters should mandate that if a device touches the corporate network, it must be equipped with state-of-the-art endpoint cybersecurity.
- Open the Lines of Communication
A recent report from CA Veracode revealed many business leaders fall alarmingly short when it comes to cybersecurity awareness. The report found, for instance, only one-third of the 1,000 business leaders surveyed “had heard of the global WannaCry ransomware attack.” More shockingly, just under half admitted major attacks had not led them to change their cybersecurity approach. If business leaders don’t appreciate or aren’t even aware of the state and scale of cyber threats, they won’t make the wholesale changes required for the IoT era.
To resolve this troubling lack of awareness, new lines of communication must be opened between IT experts and senior company leadership. Regular, in-person meetings should be scheduled, new reporting frameworks should be established, and decision-making structures must be changed to include IT.
IT teams must then maximize these opportunities by communicating cybersecurity issues in an effective manner, translating technical issues into C-suite speak and explaining their consequences in terms of financial loss and reputational damage. IT must also strive to make the issue real; demonstrating how a technical concept applies to the everyday office environment.
A cybersecurity defense is only as strong as its weakest point. If a single IoT device creates a vulnerability in the corporate network, a company’s private data could be compromised. Businesses must act to protect themselves, and their customers, before it’s too late.
Christoph Ruef
Christoph Ruef is Vice President and General Manager of HP’s multi-billion dollar Americas printing business. He has spent nearly 30 years working on HP’s print operations, managing global product strategy, marketing, go-to-market strategy and sales. He has worked for HP in Europe, Asia and the United States. In these markets, he has overseen tectonic changes to the printing market, navigating the transition from black and white to color printers and from single function to All-in-One products. Christoph speaks English and German and resides in San Diego.