For BYOD Policies, IoT Brings New Risks, Report Says

As the number of IoT devices on corporate networks explodes, corporate BYOD policies governing the use of personal devices may be falling short in protecting enterprises from IoT-based malware, according to a report from Infoblox. 

Some 82 percent of the 1,000 IT directors surveyed by the Silicon Valley IT automation and security company indicated they had security policies for connected devices in place, and of those, 88 percent believed they were effective or very effective, according to the report. But a corresponding employee survey showed many employees either aren’t following these policies, or don’t even know they exist at all.

That’s as the number of IoT devices being connected to corporate networks continues to grow. A third of companies in the U.S., UK and Germany have more than 1,000 “shadow IoT devices” connected to their network on a typical day, according to the survey. Fitness trackers are the most common such devices on enterprise networks, followed by digital assistants, smart TVs, smart appliances and video game consoles, according to the report, “What is lurking on your network: Exposing the threat of shadow devices.”

“The issue will get worse, and companies that don’t put reasonable controls and implement good practices, they’re going to have infections and they’ll be part of the attack base,” said Sean Tierney, director of cyber intelligence for Infoblox.

These devices are often exploited by cybercriminals using a number of different tactics, to steal data or cause disruption, according to the report. Employees surveyed in the U.S. and UK said they logged onto corporate networks to access social media, and download apps, games and films.

Compounding the problem is that policies typically used to secure devices – such as requiring employees connect personal phones or tablets to a guest network for use – aren’t sufficient to ensure secure connections of IoT devices, according to Tierney, where the true scope of vulnerabilities and the scale at which they can take effect is still not entirely clear.

“In an ideal world, it should not matter, but the reality is different devices have different capabilities and different vulnerabilities,” he said. “We haven’t comprehended the threat scape.”

In developing policies, involve human resources with a representative team of employees, as well as the security team, Tierney recommended. Have a conversation about where the real needs are, and develop a policy that can evolve with the ever-changing threat landscape, according to Tierney. 

But to better guard against attacks, relying on compliance alone isn’t sufficient. Network and security professionals should take steps to restrict access to certain sites, achieve full visibility, and to secure DNS, which can act as an organization’s first line of defense, according to the report. 

In practice, for instance, build policies around the most prevalent IoT devices within the organization, Tierney recommended.

“If you know the brand, and where it’s communicating with, you can build network policies and control that, and address that connection,” Tierney said.