It\u2019s been nearly two decades since the coining of the term \u201cInternet of Things,\u201d yet we are still asking the same question: \u201cWhose responsibility is it to secure the billions of IoT devices?\u201d Given the market\u2019s progress of late, you would think we\u2019d have it figured out by now; but, it\u2019s not that simple.\nAlthough IoT security has long been a hot topic of discussion, it has become more important\u2014and more challenging \u2013 than ever. First, gone are the days when operational technology (OT) was single-handedly responsible for securing IoT, often taking a \u201csecurity by obscurity\u201d approach by physically separating production operations and industrial networks from enterprise networks and the Internet. Although enterprises are realizing the need to converge IT with OT to drive new use cases, enable an open flow of data between networks and applications, support better business decisions, lower costs, and reduce complexity, new attack surfaces are arising between the gaps in IT and OT practices.\nSecond, cybercriminals are increasingly targeting IoT by exposing these vulnerable attack surfaces. Studies show that DDoS (Distributed Denial-of-Service) attacks by IoT devices turned into IoT botnets are on the rise. For example, the Mirai botnet has infected hundreds of thousands of IoT devices, making them capable of collaborating on large-scale network attacks.\nThird, each vertical is different when it comes to IoT security, some with critical or mission-critical infrastructures, and varying regulations. In the Utilities industry, for instance, the U.S. government recently mandated the adoption of version 5 of the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) as the cybersecurity standard, whereas the Healthcare industry follows HIPPA requirements for securing data.\nWhile enterprise IT, chief information security officers and governments around the world play central roles in IoT security, it is everybody\u2019s job, especially industry\u2019s, to establish consensus around a core set of requirements that address critical security, data protection and privacy needs.\nFrom devices to industry standards\nBoth device and security vendors are critical to the IoT ecosystem. However, device vendors have been slow to invest in security because it can add cost, complexity and time-to-market. With many makers committing clear security missteps \u2013 such as hard-coding default names and passwords into their devices \u2013 consumer IoT gadgets have been incredibly easy to compromise.\nYet, after a series of high-profile consumer IoT attacks in 2016, not only are governments considering regulation, but more vendors and device makers have finally started to invest appropriately in IoT security. These vendors are taking a dual approach where they protect the \u201cthings\u201d from the network, and vice-versa. For instance, manufacturers can now add an extra layer of security to their devices by using the IETF MUD standard enabling them to \u201ctell\u201d the network what access the device needs. This allows the network to deny any anomalous requests from that device.\nAt the same time, industrial IoT vendors are collaborating to establish standards, interoperability and certifications for IoT security. For example, manufacturing standards bodies such as ODVA, OPC and ISA are working to align with IEC 62443 on security. These standards combine vertical, industry-specific best practices at the higher layers, with horizontal approaches to common elements like industrial security. Also, groups like the IETF, the Industrial Internet Consortium (IIC)\u2019s security working group and IEEE have all been active in developing IoT security frameworks, standards and methodologies to ensure cybersecurity across interconnected IoT systems by brand, model and type. This will help companies mitigate risks when developing and deploying their IoT solutions.\nThe work of all these players is complicated by the unique challenges of an IoT environment\u2014more distributed, more heterogeneous, more complex and often at a much larger scale than traditional IT environments. This leads us to our next line of defense in IoT security: your business.\nBest practices for businesses\nAs vendors rise to the IoT security challenge and embrace interoperability standards, businesses across industries must also do their part to safeguard IoT and prevent potentially disastrous cyberattacks. The key tactics involve achieving visibility into their networks, network endpoints, IoT devices and cloud infrastructure. To do so, consider the following tools and best practices:\n1. Inventory devices and systems connected to the network\nSecurity teams often have only snapshot views or outdated lists of managed devices for reference. If possible, automate device discovery to understand precisely what devices are running which operating systems and quickly send out patches to fix known vulnerabilities. Also, invest in a centralized platform that can integrate all your IoT initiatives and provide you with the visibility (and security) to obtain new value from the data shared between different systems.\n2. Enable real-time monitoring and leak path detection\nInvestigate solutions that closely monitor network traffic, detect attackers and track how IoT devices interact with the network and other devices. It may very well be a sign of malicious activity if an IoT device is scanning another, or if an otherwise predictable traffic pattern changes. For example, if the HVAC system is communicating with the point of sale (POS) system, or if the POS is unexpectedly sending data to the cloud, you can quickly flag and shut down that activity.\n3. Implement network segmentation and role-based access controls\nEnsure that only authorized people, machines or processes can access certain classes of devices or data flows. There\u2019s no reason the HVAC should even be allowed to talk to the POS, is there? To prevent this, isolate these systems on separate network segments\u2014and remember to review segmentation policies and test their effectiveness regularly.\n4. Train your employees and build a culture of security awareness\nYour employees (no matter their roles) should be your first line of defense against countless threats. Like IoT itself, security\neducation is never \u201cone and done.\u201d Another issue for both IT and IoT is that 60 percent of security threats originate from inside sources. A quarter of these breaches are unintentional\u2014from clicking on a link in a phishing email to carelessly holding the door open for an unbadged person. This is where we get back to the notion that IoT security is everybody\u2019s job.\nWhile these best practices will help secure IoT, the bottom line is that companies must take an integrated, policy-based approach to IoT security that integrates data, device and physical security. Doing this will open new classes of IoT use cases and provide customers with a single source of accountability. With billions of new devices coming online every year, it will take more than a perimeter or \u201csecurity by obscurity\u201d defense to secure your IoT systems. If we want to enjoy the full benefits of connected systems, it\u2019s up to everyone to know and own their part.\nSo, what\u2019s your role in securing IoT?