You can’t go anywhere these days without coming across one of these two terms. IoT and GDPR are hot and it turns out there’s an interesting link between them.
IoT: Hot indeed, but risky from a security standpoint
The number of IoT devices is exploding, and it’s no wonder – they make life easier. They’re the internet-enabled smart elevators, security cameras, and HVAC sensors managing office buildings, they’re the printers, projectors, and smart TVs helping business run smoothly, and they’re the refrigerators, coffee makers, and vending machines nourishing employees. Gartner predicts that by 2020, there will be 20 billion IoT devices in use, up from four billion in 2014.[i]
Despite the benefits and the fact that they are already a staple in most organizations, IoT devices pose a massive security risk. In a recent Ponemon Institute survey, 46% of respondents stated that they (likely or definitely) already experienced an attack as the result of IoT devices.[ii]
It’s not surprising – they’re an easy target. Hackers simply scan networks for entry points and tap into the inherent flaws of IoT devices, which include:
IoT devices are designed to automatically connect to the internet to send information to manufacturers and other devices, sometimes without owners even realizing it’s happening.
They have no “user,” so most existing authentication protocols don’t work.
Many don’t have the memory and processing power for a decent security posture.
Some IoT devices have PINs hardcoded into the firmware that simply can’t be updated.
Most firewalls can’t see or protect them because they can’t authenticate headless devices.
GDPR: Filling IoT security gaps
At this point, most organizations are in the homestretch of GDPR implementation. If you’re not, the good news is that if you are SANS 20 and NIST compliant, you probably have the underlying security framework that you need. Now, it’s about how you apply that architecture to meet the more prescriptive needs of GDPR.
Regardless of where you are in the implementation process, a big part of GDPR is securing data. The scary part is that 82% of organizations can’t identify all the devices connected to their network.[iii] In order to fill the security gap left by IoT devices, you need three things:
Visibility into all the devices on your network
Controls that determine whether a device is acting suspiciously
Response that happens automatically when a threat is detected
Potential fines for GDPR non-compliance are hefty: 4% of global turnover could mean millions of dollars for many organizations. If you’ve been trying to secure your IoT devices, GDPR is the extra incentive you need to make it happen, ideally by the deadline of May 25, 2018.