With many IT projects, security is often an afterthought, but that approach puts the business at significant risk. The rise of IoT adds orders of magnitude more devices to a network, which creates many more entry points for threat actors to breach. A bigger problem is that many IoT devices are easier to hack than traditional IT devices, making them the endpoint of choice for the bad guys.\nIoT is widely deployed in a few industries, but it is in the early innings still for most businesses. For those just starting out, IT and security leaders should be laying out their security plans for their implementations now. However, the landscape of security is wide and confusing so how to secure an IoT deployment may not be obvious. Below are three things you must consider when creating an IoT security plan.\n\nHere's what to include in an IoT security plan.\nVisibility is the foundation of IoT security\nI\u2019ve said this before, but it\u2019s worth repeating. You can\u2019t secure what you can\u2019t see, so the very first step in securing IoT is knowing what\u2019s connected. The problem is that most companies have no clue. Earlier this year, I ran a survey and asked how confident respondents were that they knew what devices were connected to the network. A whopping 61 percent said low or no confidence. What\u2019s worse is that this is up sharply from three years ago when the number was 51 percent, showing that network and security teams are falling behind.\nVisibility is the starting point, but there are several steps in getting to full visibility. This includes:\n\n Device identification and discovery. It\u2019s important to have a tool that automatically detects, profiles, and classifies what\u2019s on the network and develops a complete inventory of devices. Once profiled, security professionals can answer key questions, such as, \u201cWhat OS is on the device?\u201d \u201cHow is it configured?\u201d and \u201cIs it trusted or rogue?\u201d\u00a0It\u2019s important that the tool continuously monitors the network so a device can be discovered and profiled as soon as it is connected.\n\n\n Predictive analysis. After discovery, the behavior of the devices should be learned and baselined so systems can react to an attack before it does any harm. Once the \u201cnorm\u201d is established, the environment can be monitored for anomalies and then action taken. This is particularly useful for advanced persistent threats (APTs) that are \u201clow and slow\u201d where they remain dormant and quietly map out the environment. Any change in behavior, no matter how small, will trigger an alert.\n\nSegmentation increases security agility, stops threats from moving laterally\nThis is the biggest no brainer in security today. Fortinet\u2019s John Maddison recently talked with me about how segmentation adds flexibility and agility to the network and can protect against insider threats and spillover from malware that has infected other parts of the network. He was talking about it in the context of SD-WAN, but it\u2019s the same problem, only magnified with IoT.\nSegmentation works by assigning policies, separating assets, and managing risk. When a device is breached, segmentation stops the threat from moving laterally, as assets are classified and grouped together. For example, a policy can be established in a hospital to put all heart pumps in a secure segment. If one is breached, there is no access to medical records.\nWhen putting together a segmentation plane, there are three key things to consider.\n\n Risk identification. The first step is to classify devices by whatever criteria the company deems important. This can be users, data, devices, locations, or almost anything else. Risk should then be assigned to groups with similar risk profiles. For example, in a hospital, all MRI-related endpoints can be isolated into their own segment. If one is breached, there\u2019s no access to medical records or other patient information.\n\n\n Policy management. As the environment expands, new devices need to be discovered and have a policy applied to them. If a device moves, the policy needs to move with it. It\u2019s important that policy management be fully automated because people can\u2019t make changes fast enough to keep up with dynamic organizations. Policies are the mechanism to manage risk across the entire company.\n\n\n Control. Once a threat actor gains access, an attacker can roam the network for weeks before acting. Isolating IoT endpoints and the other devices, servers, and ports they communicate with allows the company to separate resources on a risk basis. Choosing to treat parts of the network that interact with IoT devices differently from a policy standpoint allows the organization to control risk.\n\nDevice protection comes first in IoT security\nThe priority for IoT security is to protect the device first and then the network. Once an IoT device is secured and joins the network, it must be secured in a coordinated manner with other network elements. Protecting IoT endpoints is a matter of enforcing policies correctly. This is done through the following mechanisms:\n\n Policy flexibility and enforcement. The solution needs to be flexible and have the ability to define and enforce policies at the device and access level. To meet the demands of IoT, rules need to be enforced that govern device behavior, traffic types and where it can reside on the network. IoT endpoints, consumer devices, and cloud apps are examples where different policies must be established and enforced.\n\n\n Threat intelligence. Once controls are established, it\u2019s important to consistently enforce policies and translate compliance requirements across the network. This creates an intelligent fabric of sorts that\u2019s self-learning and can respond to threats immediately. When intelligence is distributed across the network, action can be taken at the point of attack instead of waiting for the threat to come to a central point. The threat intelligence should be a combination of local information and global information to identify threats before they happen.\n\nUnfortunately for network and security professionals, there is no \u201ceasy button\u201d when it comes to securing IoT devices. However, with the right planning and preparation even the largest IoT environments can be secured so businesses can move forward with their implementations without putting the company at risk.