Attorney Steven Teppler, who recently wrote a report that addresses risks related to the internet of things, offers insights on risk management steps organizations in all sectors must take as IoT devices proliferate in the enterprise.
One key step is to identify and map all the IoT devices that are connected to their networks and put into place policies that help prevent new devices from being introduced into the environment, he says in an interview with Information Security Media Group.
"You can have a snapshot or picture of your network at any given time - and do a network map, see who and what is connected to your network - and if there's something with which you're not familiar, you will [need to] investigate and maybe remove or quarantine [the devices] from the network," says Teppler, who wrote a paper for the Information Security Systems Association on the facilitation of IoT devices and the increasing proliferation of crime-as-a-service.
Unknown Devices, Unidentified Risks
Among the challenges in reigning in IoT-related security risks is that the number and types of devices entering an environment is difficult for many organizations to control, he says.
"The problem is that you have so many people with so many devices ... that can be brought in and added to the network, that you almost have to do this [mapping process] ... on a continuing basis," he says.
If someone has added a "smart" mini refrigerator in an office or other connected consumer device, for instance, "you need to be very vigilant ...because this is a BYOD - bring your own device - problem on steroids," he says.
"Now you have devices that you can't necessarily brick, you can't know how they operate because ... the organization hasn't set them up or have no control over shutting them down," he says. "If these devices have access to the network, they may have embedded code ... that might start scanning [the network] for whatever is susceptible to an attack."
In the interview, Teppler also discusses:
- Why cyberattacks on IoT devices involving Mirai botnets have had such a devastating impact on some organizations;
- Other cybercrime-as-a-service concerns involving IoT devices;
- Security risks posed by medical devices and who should be responsible for addressing those risks.
Teppler is a partner at the Abbott Law Group in Jacksonville, Fla., where he leads the electronic discovery and technology-related litigation practice. He was also one of the attorneys who represented plaintiffs in a data breach class action lawsuit against health plan AvMed that ended in a $3 million settlement in 2013. Teppler is an adjunct professor at Nova Southeastern University Law School.