Keil Hubert: Why you must beware wolves masquerading as gerbils

A salesperson tried to sell me an internet-enabled TV for my office the other day.
I asked if he was bundling a security event and incident management appliance or a unified security management server along with his television so that his device didn’t compromise my network. The salesperson asked me what I meant… so I hung up on him. No thanks.

Network-aware appliances – the lion’s share of devices that make up the internet of things – sound modern and safe. In reality, these non-PC devices (like a refrigerator that e-mails you when you run low on bacon) are poxy little saboteurs. They’re extremely simple PCs that wait cheerfully to give some clever baddie a safe haven from which to pursue greater mischief.

My argument is that IoT nodes introduce vulnerabilities to the network they’re installed on because they’re inherently insecure. The OS on most non-PC devices are bare-bones affairs, designed for minimum functionality, often with no thought to integrating into a managed network. Unlike a complex PC, phone, or tablet, IoT devices usually aren’t engineered with hardening and monitoring in mind. That’s why I argue that the market conditions aren’t right – yet – to introduce IoT into businesses too small to feature a dedicated infosec department.

A business that is large enough has both the resources and the remit to integrate IoT components into the network under controlled conditions. Larger companies feature defensive tools like centralised anti-virus management, patch management servers, and intrusion detection systems. They also employ trained operators to monitor their network traffic. These professionals know how to recognise suspicious behaviour, and have the authority to swiftly shut down any device that starts acting squiffy.

I’ve consulted to a bunch of US-based small businesses that understood the need for security, but couldn’t justify stretching the payroll. In 88 per cent of the SOHO environments with 20 or fewer users I inspected between 2001 and 2014, the single most common network defence capability I found was a home-grade broadband router with a built-in firewall – usually with no one monitoring it. I understand why – when margins are razor thin, the resources just aren’t there to procure or to operate enterprise-grade tools.

That’s why the IoT should be a slow sell for small businesses over the next few years: every new addressable device introduced to an office network is another potential pivot point for an attacker. An IoT device may seem like a simple TV set or refrigerator, but an attacker views those nodes as weak, unmonitored, easy-to-compromise targets. Business owners must realise they’re not positioned to accept the risk until they start investing in infosec.

Unfortunately, the glamour and allure of IoT toys will likely prove captivating to people who don’t realise they’re buying wolves masquerading as gerbils. We’ll see a spate of network compromises make the news before the network security sector players realise that they have a golden opportunity (and a compelling need) to take their enterprise toys down-market.

By 2018, I think we’ll start to see the top security vendors roll out simpler, significantly less expensive devices to the SOHO community, the same way they brought us reasonably effective router/firewall capability in £100 appliances back in the early 2000s. Then – and only then – will it start being safe for small businesses to start connecting internet-enabled TV sets and bidets to their networks. Until then, their best choice is to either to do without, or hire full-time infosec boffins.

Keil Hubert

Keil Hubert

POC is Keil Hubert, Follow him on Twitter at @keilhubert. You can buy his books on IT leadership, IT interviewing, horrible bosses and understanding workplace culture at the Amazon Kindle Store. Keil Hubert is the head of Security Training and Awareness for OCC, the world’s largest equity derivatives clearing organization, headquartered in Chicago, Illinois. Prior to joining OCC, Keil has been a U.S. Army medical IT officer, a U.S.A.F. Cyberspace Operations officer, a small businessman, an author, and several different variations of commercial sector IT consultant. Keil deconstructed a cybersecurity breach in his presentation at TEISS 2014, and has served as Business Reporter’s resident U.S. ‘blogger since 2012. His books on applied leadership, business culture, and talent management are available on Keil is based out of Dallas, Texas.

© Business Reporter 2021

Top Articles

Reforming upskilling strategies for the changing work landscape

Leaders across industries must upskill the workforce to deliver new business models in the post-pandemic era

Green or greenwashing?

Procurement must stamp out greenwashing from supply chains, to ensure that organisations’ products and goals are not just a “green…

American View: Why Do Cultural Taboos Frustrate New Technology Implementation?

Businesspeople seldom evaluate new technologies on capabilities alone; why do peoples irrational beliefs impede attempts to discuss worthwhile innovations?

Related Articles

Register for our newsletter

[ajax_load_more loading_style="infinite classic" single_post="true" single_post_order="previous" post_type="post" elementor="true"]