Knowing where you are positioned is a good starting point to take action to improve that position. It is no different for cyber security. If you are familiar with Gartner’s “Magic Quadrant” where they assess companies based on two axes (their innovation and ability to execute), it helps to define where organizations are in their maturity, and what direction or actions they should take to be in the “Leaders” quadrant. How might that same approach be used for IoT cyber security? Especially when failing to be a “Secure Winner” means likely breaches, ransomware, damage to brand, and many other negative consequences.
After working with many end users two key factors (two axes) have emerged for assessing their IoT security situation: do they use automated discovery tools, and do they have an automated way to perform cyber hygiene functions (firmware, certificate, and password management). As shown in Figure 1 below, there are four quadrants that emerge when you look at it this way. Let’s understand what each one means:
UNDER ATTACK: This quadrant is defined by not knowing what assets you have, and not having a method to ensure they are secure. In this scenario you likely have been or will be breached. Known exploits (such as through cvedetails.com) are growing exponentially, with a majority of them targeting unmanaged and IoT devices. Not keeping track of what devices you have, and not maintaining their cyber hygiene, is equivalent to having a “Kick Me” sign on your organization’s back. In this scenario it is a matter of when, not how, hackers will breach your organization.
REDUCED VALUE: Let’s say you know what you have and maintain full visibility of those devices, yet you don’t automate managing their cyber hygiene. For example, if you are using Armis you’ll have that visibility and have threat assessment. But instead of managing the device cyber hygiene some organizations will go the “quick and dirty” route, which is to use port blocking on those devices to protect the network and prevent threats from spreading. But by blocking these devices you are also eliminating the business value of having them there in the first place. Therefore, this is the “Reduced Value” quadrant because your organization is being shortchanged on the IoT investments it has made.
UNKNOWN RISK: You should congratulate yourself for being ahead of the curve by using an automated approach to cyber hygiene, and being on top of firmware updates, certificate management, and password policies. But without using an automated discovery solution you also have a false sense of security because there may be devices distributed within your organization that are not being managed effectively, and you don’t know about them. This creates a “black swan” risk, where you can be blindsided by such devices being breached – you didn’t see it coming because you thought everything was secure.
SECURE WINNERS: You know what devices you have, and you maintain their cyber hygiene. Known vulnerabilities can’t touch you. In this situation you also benefit from the 1+1=3 nature of combining data from your discovery and cyber hygiene tools to have auditable records of maintaining cyber compliance, and a data-driven understanding of your infrastructure.
Want help in getting to the Secure Winners quadrant? Viakoo can help with automated cyber hygiene for unmanaged and IoT devices. Our mission is to make every enterprise IoT device 100% visible, operational, and secured. Sign up for a demo today and see how the Viakoo Action Platform can help you achieve your security goals.