The number of connected devices is expected to balloon to more than 75 billion by 2025, a fivefold increase from 2015.
This explosion, which has been called BYOD on steroids, will have a significant impact on enterprise networks in the form of what’s being called shadow IoT.
Shadow IoT gets its name by combining two concepts:
The combination of these ideas means that shadow IoT is when smart objects connect to an enterprise’s network without the knowledge of its IT department.
A 2018 study revealed the full extent of shadow IoT.
Network management firm Infoblox found that more than three-quarters of organizations of all sizes have 1,000+ business devices connected on a typical day.
In particular, 25% of small businesses with 10-49 employees and 52% of businesses with 50-99 employees reported that more than 1,000 business devices connected on a typical day.
However, more than a third of companies in the U.S., U.K., and Germany reported that more than 5,000 non-business devices connected to their network each day.
The report found that employees used personal devices for activities like accessing social media, as well as downloading apps, games, and films.
Personal devices most commonly found on enterprise networks include:
All of these devices (and more) can expose a network to malware infection, social engineering attacks, ransomware, and unwanted surveillance. In fact, Consumer Reports found that smart TVs know more about us than we think—turning off their snooping features can disguise some of our conversations and preferences.
The best way to defend against shadow IoT is to develop a policy for it.
First, define a list of acceptable devices. For example, do fitness trackers really belong on your network? Evaluate whether they contribute to your business. If not, consider banning them.
Second, specify a set of minimum security controls. This may include requiring people to keep their operating system and their apps updated, disabling Bluetooth, and restricting access to certain websites and services on your network.
Third, communicate the policy through your organization’s security awareness training. Let employees know what personal devices are acceptable or not, and what controls they should put in place.
Finally, policies are only good if they’re enforced. The Infoblox report says that due to “neglect or ignorance, it is clear that organizations cannot rely on employees to follow their security policy for connected devices.” You’ll need to determine how you want to enforce the policy on behalf of your organization.
As more devices flood enterprise networks, now is the time to craft a plan to deal with them. You may even consider working with a partner to help you craft your policy.