The market penetration of gadgets, gizmos, and other “things” (besides PCs and mobile devices) that connect to the Internet is growing rapidly. And because anything with an IP address is immediately a target for hackers and malware, it’s only a matter of time before MSPs and other channel partners working in the SMB space will be facing a rapidly growing set of challenges in securing the IoT (Internet of Things) for those who use it.
All told, the installed base of wireless Internet-connected devices is set to reach 40 billion by 2020, up from an estimated 16 billion last year—reflective of an annual compound growth rate of almost 17 percent, according to Michela Menting, digital security practice director for ABI Research.
IoT is penetrating the market faster than iPhones, notes John Pescatore, director of emerging security trends for SANS Institute, a cooperative research and education organization for security professionals. Many of those “things” are common in the SMB world, according to Pescatore. These include Internet-linked devices used to help control building systems such as HVAC, those used at the retail point of sale, and IoT-based supervisory control and data acquisition (SCADA) systems for gathering and analyzing real-time data.
For now, IoT growth has apparently not been accompanied by increasing security risks to users. But chances are good that this will change in the not-too-distant future. Why? One reason is the computing industry as a whole has not been paying enough attention to IoT security risks, according to Menting. “The manufacturers of IoT devices and the developers of supporting applications are leaping ahead with little consideration or invested effort in security generally.” She adds, “The consequence of shunting security to the side means that vulnerabilities abound.”
Pescatore looks at security risk as a function of system vulnerabilities and volume of exploits. In the case of the IoT, there are plenty of vulnerabilities, but few instances (to date at least) where they have been exploited. “But vulnerabilities attract exploits the way wet wood attracts termites, and they are eventually going to turn into real risks,” he notes, particularly in the enterprise rather than the consumer arena.
For the most part, IoT security is not high on the list of services MSPs and other channel partners currently provide. But as instances of IoT exploits increase, Pescatore sees channel pros initially responding with “managed vulnerability scanning services” that identify/inventory IoT devices (many of them likely previously undiscovered) on the business network.
Beyond that, Menting says channel pros need to keep in mind that “security considerations for IoT need to apply to people and processes as much as to the intelligent objects. On the people side, this involves defining, applying, and auditing security practices and rules.” With regard to processes, she says, “Information security risk assessments and strategies need to be put into place.”