IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

How channel firms can exploit a silver lining to shadow IoT

Opportunity awaits firms that provide real answers to anxieties surrounding a growing IoT threat, argues David Ellis

A concept visualising IoT security

The Internet of Things (IoT) is changing how businesses across the globe work. When harnessed effectively it can enhance productivity, cut costs, drive new revenue streams, and bring firms closer to customers.

But in the rush to tap into technological leaps, as with many aspects of digital transformation, organisations can leave themselves exposed to security risks. This threat becomes deeper when teams purchase and connect new IoT endpoints to the corporate network without the knowledge of the IT department.

Shadow IT combined with IoT poses a recipe for cyber security disaster, but the channel can help; both by providing expert guidance, and the tools needed for IT leaders to gain greater visibility and control over their smart endpoints.

A new spin on a time-old problem

IoT adoption continues to grow, with research claiming the number of connected devices will explode from 6.3 billion in 2016 to more than 25 billion by 2025. More than half of new devices deployed will be classed as 'business' devices, but it's increasingly difficult to separate 'business' from 'consumer' products in IoT.

Of course, Industrial IoT (IIoT) products are specifically designed to be used by the likes of manufacturers and transport businesses. They can help with everything from monitoring water levels, to running automated factory floor systems and managing vehicle fleets.

But there is also a potentially large number of smart devices running on a corporate network either brought in by employees from home or by managers. Think 'BYOD 2.0'. These can include smart kitchen and home appliances such as kettles, toasters and TVs, or even cameras.

This represents a new spin on the time-old problem of shadow IT: unsanctioned and potentially unsecured devices expanding the corporate attack surface without any oversight from the IT department. It mirrors warnings from a few years ago of business unit managers migrating corporate data into insecure public cloud accounts. Of course, the very nature of shadow IoT means it's impossible to quantify the threat, but that doesn't mean it isn't a major challenge to corporate security.

The scale of IoT threats is rising

Unprotected endpoints represent an increased security threat on several fronts. For instance, they could be compromised to allow "stepping stone" access to corporate networks and enable data-stealing raids. Or they could be conscripted into botnets to launch DDoS attacks, crypto-mining, click fraud and more. The Mirai attacks of 2016 showed us just how easy it is to do this. IoT endpoints could also theoretically be targeted with sabotage to disrupt business processes and can be compromised to spy on staff.

With Symantec reporting a 600% rise in IoT attacks last year, these threats are far from theoretical. Another survey meanwhile reported organisations suffered on average three attacks on connected devices over the previous 12 months. The same research found a third (33%) of organisations don't know who is responsible for IoT security, while only 38% said they involved security teams in choosing IIoT kit.

The potential impact of a serious incident is well known, spanning financial and reputational damage, as well as large regulatory fines under GDPR, and the NIS Directive which applies to critical infrastructure industries.

The problem with shadow IoT is compounded by the fact that responsibility for these new systems in is blurred, sitting at an intersection of IT and OT (operational technology), falling occasionally between the two completely. Worse still, if OT managers are left in charge of IoT, their approach to security will be different from their IT counterparts - which can lead to reluctance to take systems offline to apply vital patches.

The silver lining for channel firms

The plus side is that this offers channel players a great opportunity to step into the role of trusted advisors. A skills gap in customer-facing organisations can not only lead to shadow IoT but poor security practice. This might include lack of a regular patch update mechanism, default passwords running on products, no network segmentation, and so on.

Channel partners can be on hand to offer vital advice that improves an organisation's basic cybersecurity hygiene in this area, also offering services like pen testing to identify security issues in smart endpoints. They can even help illuminate the darkest shadows of corporate IT to find any devices on the network that shouldn't be there.

Once organisations have got visibility and are following basic best practices there's an additional opportunity to sell a layered security message to keep IoT systems protected from advanced threats. Elements including IPS, firewalls, identity and access management and many more should be on the radar for channel resellers. We don't claim to hold all the answers but there's certainly an opportunity to add value and forge closer ties with your customers as the race for digital transformation intensifies.

David Ellis is VP for security and mobility solutions for Europe at Tech Data

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Google unveils new Assured Open Source Software service
open source

Google unveils new Assured Open Source Software service

18 May 2022
Malwarebytes hires new channel chief to lead MSP and partner network
Managed service provider (MSP)

Malwarebytes hires new channel chief to lead MSP and partner network

18 May 2022
Palo Alto and Deloitte to deliver managed security services in the US
Managed service provider (MSP)

Palo Alto and Deloitte to deliver managed security services in the US

17 May 2022
US and EU thrash out plans to avert chip production “subsidy race”
Hardware

US and EU thrash out plans to avert chip production “subsidy race”

17 May 2022

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022