IEEE comments on the evolution of IoT technology and smart devices, and how it has impacted enterprise security

This week, the UK Government announces that organisations can now apply for up to £200,000 of funding to support research into the cyber security of office devices which connect to the internet, to ensure they are properly protected against hackers.

With UK businesses relying on enterprise IoT devices to increase productivity and enable hybrid working, these smart devices collect sensitive data, which can be accessed by other users, making them an attractive target for cyber criminals to exploit.

Impacting enterprise security

Independent experts and researchers from the IEEE – the world's largest technical professional organisation dedicated to advancing technology for the benefit of humanity – offer the following comment on the evolution of IoT technology and smart devices, and how it has impacted enterprise security.

IoT devices have the potential to collect and access a large amount of personal information"

Steven Furnell, IEEE Senior Member and Professor of Cyber Security at the University of Nottingham: “IoT devices have the potential to collect and access a large amount of personal information about users and sensitive data relating to their environment. Devices are often linked to the accounts that consumers use on other devices. The difference is that on these other devices they are more readily protected against unauthorised use.”

Potential for seamless transitioning

Steven Furnell adds, “On the smart device people may set them up initially and forget that they are essentially ‘logged in’ all the time. Added to this, people are often less mindful of the security risks posed by IoT devices, as they do not necessarily think the devices as storing and communicating data in the same way as traditional computing devices.”

He continues, “Most IoT devices are not doing any ongoing checks on who is using them, they are set up and can then be controlled equally by anyone, albeit maybe with a password or PIN required to get into the ‘Settings’ menu. However, introducing a check each time someone wants to do something would not be possible if we rely on traditional methods. Biometrics open the door to making the checks in a friendly and tolerable manner, with the potential for seamless transitioning between users of shared devices.”

Certificate-based authentication

IoT devices can provide an easy way into an enterprise’s network, especially with a BYOD culture in place"

Kevin Curran, IEEE Senior Member and Professor of Cybersecurity at Ulster University: “IoT devices can provide an easy way into an enterprise’s network, especially with a BYOD culture in place. With more devices there are a more endpoints, and this could lead to a chain-attack which has catastrophic consequences.”

He adds, “Organisations need to ensure they deploy IoT devices with sufficient security policies in place, such as firewalls and intrusion detection and prevention systems, but they also need to ensure they cater for the confidentiality of their customers data. This is where encryption plays a core role. Of course, all devices need strong passwords, but it is also good practice to enforce certificate-based authentication which identifies communicating individuals and authorised devices.”

Larger enterprise system

Kevin Curran continues, “Many of the steps in securing IoT activities are similar to security within the larger enterprise system. However, organisations need to be aware that privacy issues can arise due to their IoT data collection mechanisms which may lead to user profiling and identification of individuals in unforeseen use case scenarios.”

He concludes, “The greatest care needs to be taken when deploying data collection devices with regards their lifecycle, data collection mechanisms and overall security protocols. While devices may have some protections built-in, products with poor cyber security can leave companies using them at risk, particularly as more and more data is being collected. Adopting a multi-layered security strategy is often best practice.”