Remember the days when workers used to bring their own mobile device to work that did not meet the guidelines of said organization but found a way to connect it anyway? While troublesome, most times these devices would set off an alert or notification using the multitude of tools available when attempting to acquire data via these devices.
What happens when devices only require your organization’s network for connectivity to pass through data or accept commands? Do those attempting to access the IoT devices only access the IoT devices or do they attempt to access other parts of the network now connected to the newly installed IoT device? Enter the new realm of Shadow IT of which “off-the-shelf” IoT devices are being connected to company networks at the request of businesses without understanding the risks or notifying those who govern over the networks themselves, the IT Professional.
Break in via the Thermostat Backdoor
Back in July 2017 a casino in Atlantic City that signed an agreement 3rd party fish tank maintenance company to manage their elaborate fish tank display. The maintenance company then convinced the casino that they would be able to be more proactive in maintaining said fish tanks via an IoT thermometer to remotely to monitor and control tank environment settings. The fish tank thermometers were connected to the local network and connected to an outside web portal to enable management.
It did not take hackers long to exploit a vulnerability within the thermostats to gain access to the casino network, access the casino’s high roller database (an estimated 10GB of data) and transmit the data back through the thermostats out to the web. In cases like these, IT departments are usually blamed for the data leak even if they had very little or nothing to do with the actual rollout of the devices. Incidents like this are unfortunately becoming much more frequent and IT teams need to be included on IoT planning to help address this.
Can’t spell security without IT
Some Internet of Things manufactures worry more on device performance rather that security. Thankfully this trend is beginning to change as more of these IoT vulnerability exploit stories come to light. What is more concerning though is that IT Professionals are not offered a seat at the table when organizations are discussing possible IoT deployments. With data becoming the new currency in this digital world, organizations need to leverage the IT Professional’s knowledge surrounding secure data management now more than ever.
How an IT Professional can become and IoT Professional
Becoming an IoT Professional is not just about learning new tech. Recently I sat down with Richard Hay at ITPro Today to discuss what 5 things IT Professionals must upskill on to become IoT Professionals. Have a listen below:
Start your IoT upskill journey with Microsoft Learn
Launched at Microsoft Ignite 2018, Microsoft Learn has become a great upskilling tool to test out new technology with minimal setup and no cost. There you will find a new learning module entitled: Learn how to manage IoT devices as an IT Admin which will provide ground level technical understanding of what IoT management looks like.
Finally feel free to submit your comments below with questions you may have on dealing with IoT enabled Shadow IT. The team and I look forward to the discussion.