Inside Cybersecurity

December 7, 2021

Daily News

Palo Alto IoT report finds need for greater visibility and security around remote-work connections

By Charlie Mitchell / October 22, 2021

Palo Alto Networks’ annual survey and report on Internet of Things security finds an increase in “non-business IoT devices” connected to corporate networks amid the enduring shift to remote work, and recommends companies and government agencies enhance monitoring and move to a zero trust architecture.

“In 2021, cyberattacks against IoT devices have gotten bigger and bolder--from hacking water treatment plants to security cameras and more. For the second year, an IoT security survey from Palo Alto Networks highlights the need for shared responsibility among work-from-home (WFH) employees and IT teams to secure the enterprise,” according to the report.

“Smart lightbulbs, heart rate monitors, connected gym equipment, coffee machines, game consoles, and even pet feeders are among the list of the strangest devices identified on such networks in this year’s study,” the report says.

“Remote workers need to be aware that IoT devices could be compromised and used to move laterally to access their work devices if they’re both using the same home router, which in turn could allow attackers to move onto corporate systems,” Palo Alto says. “Everything using the same Wi-Fi network creates more risk, whether in a living room or at a coffee shop. Enterprise IT teams need to better monitor threats and device access to networks and create a level of segmentation to safeguard remote employees and limit access to the organization’s most valuable assets.”

The Connected Enterprise: IoT Security Report 2021” was released Wednesday and is based on a research firm Vanson Bourne poll of “1,900 IT decision-makers at organizations in 18 countries in Asia, Europe, the Middle East and the Americas on top IoT security issues.”

“As government agencies prepare remote and hybrid work plans for 2022, the line is fading between home and agency network environments. The Palo Alto Networks IoT Security report is a stark warning that agency cybersecurity postures must extend to the home office and personal devices of all kinds,” said Dana Barnes, senior vice president of U.S. public sector at Palo Alto Networks.

“IoT adoption is growing rapidly with 78% of IT decision-makers reporting an increase of personal devices connecting to their enterprise networks. Under the Biden administration’s recent executive order, federal agencies need a proactive approach, moving to a Zero Trust architecture that verifies approved devices and only allows users to access what is necessary,” Barnes said.

“More so than ever before, as the home is becoming a regular location where work can be done, government agencies need to be equipped with cybersecurity best practices and tools to help ensure protection at the home just as it does the office. This requires the use of strong passwords and solutions that provide visibility of the entire attack surface and micro-segmentation,” according to Barnes.

The report says: “Safeguarding IoT devices from cyberattacks is an ongoing challenge. Therefore, we are skeptical that today’s enterprises have a true picture of the number of non-business IoT devices that may actually be putting their organizations at risk. With most cyberattacks and malware/ransomware accessing corporate networks months before they are detected, device asset management should be a critical component of a corporate IoT security strategy.”

The report includes security recommendations for the enterprise and for individual workers, and says the survey found “half (51%) of IT decision-makers who have IoT devices connected to their organization’s network indicated that IoT devices are segmented on a separate network from the one they use for primary business devices and business applications (e.g., HR system, email server, finance system), and another 26% of respondents in the same group said that IoT devices are microsegmented within security zones--an industry best practice where organizations create tightly controlled security zones on their networks to isolate IoT devices and keep them separate from IT devices to prevent hackers from moving laterally on a network.”

The report says, “Dividing your network into zones helps create a Zero Trust architecture that executes a security philosophy of trusting no users, devices, or applications and verifying everything. The end goal is to create a network that allows access only to the users, devices, and applications that have legitimate business needs and to deny all other traffic.” -- Charlie Mitchell (cmitchell@iwpnews.cm)