Organisations must now factor Internet of Things (IoT) into their continuity planning says Peter Groucutt, managing director of Databarracks.

The company has found that just over a quarter of organisations have specific policies in place designed to protect against IoT threats.

“The IoT device market is still relatively immature and somewhat of a Wild West,” said Groucutt.

“According to industry experts, by 2020 there will be over 50 billion connected devices.

“Understandably, manufacturers are racing to capitalise on the opportunity, but unfortunately, many are doing so at the expense of basic security measures.

“Organisations need to be aware of these risks, even if they don’t use any IoT devices – the growing number of connected devices globally means there is an increased risk of DDoS attacks through IoT botnets – but our data suggests firms are ignoring these threats.

Research from the company’s annual Data Health Check survey revealed that only 13 per cent of businesses saw IoT threats as a major concern.

Additionally, just over a quarter of organisations (27 per cent) had set policies in place designed to protect against IoT threats.

Groucutt states that for organisations incorporating IoT devices into their IT infrastructure, there are several considerations.

“Firstly, organisations should not rely on existing policies for evaluating the security of devices, but should develop new policies for IoT devices,” he said.

“Questions to consider are what protocol does the device use? Can the IoT network be isolated from our other systems?

“Is it connecting directly back to the data centre or to a hub – either in the cloud (hosted externally) or to an Edge server that you manage?

“How do we log in and authenticate?  Can we integrate with our existing authentication products, and finally, what O/S is used and do we have competency?

“Secondly, when factoring IoT into your continuity planning, you must define the risks and put in place the necessary controls to minimise them. A plan should be in place to deal with any disruptions.”

He goes on to explain that if a sensor governing a process on a production line is faulty or hacked it will need to be removed from the network while the problem is fixed.

Depending on the function of that sensor, the lesser impact might mean that some data monitoring is lost for a period but won’t necessarily halt operations on that production line.

If the sensor, however, is responsible for a more critical process, operations will be hit and contingencies will need to be in place to continue. In this instance, speed of resolution is vital to minimise the financial impact of any downtime.

“The unique challenge of IoT continuity is that the devices, by their nature, are remote and numerous,” he said.

“Remote access, and the ability to apply changes and fixes to multiple devices at once, makes them easier to manage, but that comes with a risk of compromise. 

“If a remote fix cannot be carried out, an engineer will be required to physically visit the device or devices to address the issue.

“Again, due to the nature of IoT devices – that they are remote and numerous, that means significant cost for remediation.

“This might be an internal engineer physically traveling to reach a faulty device, or alternatively, enlisting the support of an external engineer, for example, the manufacturer of the device, to fix the problem. 

“While this remediation is taking place, a business must be able operate without that device. Returning to the example of sensor on a production line, is there an alternative, manual workaround? If not, whenever there is an issue, production will be brought to a halt until the problem is resolved.”