• United States

Don’t worry about shadow IT. Shadow IoT is much worse.

Aug 22, 20194 mins
Internet of ThingsSecurity

Shadow IoT – the use of unauthorized internet of things devices and networks – poses a new level of threats for enterprises.

For years, IT departments have been railing about the dangers of shadow IT and bring-your-own-device. The worry is that these unauthorized practices bring risks to corporate systems, introducing new vulnerabilities and increasing the attack surface.

That may be true, but it’s not the whole story. As I’ve long argued, shadow IT may increase risks, but it can also cut costs, boost productivity and speed innovation. That’s why users are often so eager to circumvent what they see as slow and conservative IT departments by adopting increasingly powerful and affordable consumer and cloud-based alternatives, with or without the blessing of the powers that be. Just as important, there’s plenty of evidence of that enlightened IT departments should work to leverage those new approaches to serve their internal customers in a more agile manner.

Shadow IoT takes shadow IT to the next level

So far so good. But this reasoning emphatically does not carry over to the emerging practice of shadow IoT, which has become a growing concern in the last year or so. Basically, we are talking about when people in your organization add internet-connected devices (or worse, entire IoT networks!) without IT’s knowledge.

Those renegades are likely seeking the same speed and flexibility that drove shadow IT, but they are taking a far bigger risk for a much smaller reward. Shadow IoT takes shadow IT to another level, with the potential for many more devices as well as new types of devices and use cases, not to mention the addition of wholly new networks and technologies.

Why shadow IoT is worse than shadow IT

According to a 2018 report from 802 Secure, “IoT introduces new operating systems, protocols and wireless frequencies. Companies that rely on legacy security technologies are blind to this rampant IoT threat. Organizations need to broaden their view into these invisible devices and networks to identify rogue IoT devices on the network, visibility into shadow-IoT networks, and detection of nearby threats such as drones and spy cameras.”

The report noted that all of the organizations surveyed had rogue consumer IoT wireless devices on their enterprise networks, and nine out of 10 had shadow IoT/IIoT wireless networks, defined as “undetected company-deployed wireless networks separate from the enterprise infrastructure.”

Similarly, a 2018 Infoblox report found that a third of companies have more than 1,000 shadow-IoT devices connected to their networks on a typical day, including fitness trackers, digital assistants, smart TVs, smart appliances and gaming consoles. (And yes, Infoblox is talking about enterprise networks.)

It gets worse. Many of these consumer IoT devices don’t even try to be secure. And, per Microsoft, criminal and state-sponsored actors are already weaponizing these devices and networks (both shadow and IT-approved), as shown by the Mirai botnet and many others.

One more thing: Unlike cloud and consumer shadow IT, shadow IoT implementations often don’t provide additional levels of speed, agility or usability, meaning that organizations are not getting much benefit in exchange for the heightened risks. But that doesn’t seem to be stopping people from using them on corporate networks.

Security basics

Fortunately, protecting your organization from shadow IoT isn’t so different from security best practices for other threats, including shadow IT.

Education: Make sure your team is aware of the threat and try to get their buy-in on key IOT policies and security measures. According to that 802 Secure report, “88 percent of IT leaders in the US and UK believed they had an effective policy in place for mitigating security risks from connected devices. But a full 24 percent of employees represented in the survey said they did not even know such policies existed, while a bare 20 percent of the people who professed knowledge of these policies actually abided by them.” Sure, you’ll never get 100 percent participation, but people can’t follow a policy they don’t know exists.

Assimilation: Create policies to let team members easily connect their IoT devices and networks to the enterprise network with the IT department’s approval and support. It’s extra work, and some folks will inevitably go rogue anyway, but the more devices you know about, the better.

Isolation: Set up separate networks so you can support approved and shadow IoT devices while protecting your core corporate networks as much as possible.

Monitoring: Make regular checks of connected devices and networks, and proactively search for unknown devices on all your networks.


Fredric Paul is Editor in Chief for New Relic, Inc., and has held senior editorial positions at ReadWrite, InformationWeek, CNET, PCWorld and other publications. His opinions are his own.