What Shadow IoT Is and How to Mitigate the Risk

Shadow IoT, the devices that IT and security departments are unaware of, poses a serious threat to enterprise networks. It's essential to understand the dangers and solutions to shadow IoT.

869
An arm with a smart watch on it casting a shadow
Illustration: © IoT For All

The line between reality and science fiction is beginning to blur. Scenarios that used to be reserved for movies such as Terminator, The Matrix or Inception are quickly becoming a part of our daily lives. The internet itself is something of a technological miracle.

Who could have imagined that we could develop a way to connect the far reaches of the globe into one massive system, and all in the span of a few decades? But things haven’t stopped there. In fact, what we’re seeing today is the next step in the evolution of the internet.

This new step is defined by a tendency to connect more and more devices to the web, leading to what’s called the Internet of Things (IoT). The numbers speak for themselves. In 2017 there were over 8.4 billion IoT devices, and the number is projected to reach 30 billion by 2020, while the market value of IoT is estimated to reach $7.1 trillion in the same year.

The reason for this rapid development is because IoT has shown the potential to revolutionize business, industry, agriculture, medicine and society as a whole. However, this attempt to integrate the physical world with its digital counterpart came with its own share of drawbacks. The topic of this article is one such drawback, the so-called shadow IoT.

This phrase refers to IoT devices that have been brought into business environments without anyone’s knowledge or approval. Such devices represent a major security risk, and they can cause lasting harm to an organization. In this article, we’ll explore a number of methods organizations can use to mitigate the risks associated with shadow IoT.

Lack of Security Awareness 

The main reason why shadow IoT poses a risk for an organization is the lack of awareness surrounding it. Because most organizations haven’t experienced a cyber-attack by way of shadow IoT, they become complacent and treat it as an issue that others have to deal with. This kind of attitude, combined with ignorance, is what makes companies vulnerable to shadow IoT in the first place.

In theory, this issue is easy to solve – all you have to do is raise awareness about the dangers of shadow IoT. In practice, however, this solution isn’t easy to implement. Since the threat is still fairly new, there are a lot of unknowns surrounding shadow IoT. Still, widely publicized cases such as the Mirai Botnet attacks from 2016 are good indicators of what hackers can achieve. Hosting security training seminars for employees is a good starting point for raising security awareness within an organization.

Vendor-Based Attacks

Businesses that provide your company with equipment and services are just as likely to succumb to IoT-based attacks as you are. What makes this threat particularly insidious is the fact that it can come from sources you trust. The issue is further exacerbated by the fact that a lot of companies rely on complex supply chains and multiple vendors in order to operate, which increases the number of attack vectors substantially.

The first line of defense against vendor-based attacks is to assess the safety of internet-capable products your company purchases. This should be done during the selection process and post-purchase. A more drastic solution would be to perform security audits for your key suppliers. The goal here is to ensure that vendors are upholding the appropriate safety standards and procedures they advertise pre-purchase.

Compromised Personal IoT Devices

Personal IT devices are the main culprits of shadow IoT. It’s difficult to manage what each member of an organization brings to work. The list of IoT-enabled devices people tend to carry around increases every year. Wearables such as fitness activity trackers, smartphones, smartwatches, digital assistants and medical devices are the main offenders here. The number of these potential attack vectors is what makes shadow IoT such a major threat. If even one of these devices gets compromised while being connected to a company network, hackers can use it as a gateway to attack company assets such as computers, printers and even thermostats.

Introducing security policies for managing employees’ use of personal electronic devices in the workplace is the first step towards minimizing the risk from Shadow IoT. Such policies should be compliant with information security standards such as the ISO 27001, or an equivalent. The next step would be to create a BYOD policy in order to establish a strong culture of information security within an organization. Beyond that, you can give IT administrators the ability to enforce these policies by allowing them to inspect non-compliant devices.

Lack of a Data Breach Strategy

It’s impossible to completely insulate an organization from shadow IoT attacks. If hackers are determined enough, they can breach any security system, so investing in cybersecurity beyond a certain point will only bring diminishing returns. What becomes more important is the way an organization behaves in an event of an attack. If an organization doesn’t have a shadow IoT breach strategy in place before the attack, hackers can cause substantially more damage.

The way you prepare for a shadow IoT attack is the same as the way you would prepare for an environmental hazard. The key is to have a plan, keep it updated and train staff through simulated breach scenarios. This will allow you to minimize the damage caused by an attack.

Banishing Shadow IoT 

IoT is the way of the future, for better or for worse. The number of internet-capable devices is steadily multiplying, and each of them carries the seed of a potential attack. There’s little that organizations can do to stem the tide.

What they can do is strengthen their security by implementing the appropriate policies, raise awareness among members about the risks involved and prepare a fallback strategy in order to brace for the inevitable.

Written by Neb Ciric, content producer and technical writer with Advisera