Organisations will need to change their attitude to security to accommodate Internet of Things projects

AirWatch by VMware's Mike Blumenthal warns that IoT requires a shift in security stance

Shifting approaches to network security will require a change in attitude towards information security as organisations roll out Internet of Things (IoT) devices, according to Mike Blumenthal, enterprise account executive at AirWatch by VMware, speaking last week at Computing's Internet of Things Business Summit 2016.

Instead of having the attitude to keep potential miscreants out of the network, the focus should shift on securing devices and information - in a similar manner to the model mooted by Met Office CIO Charles Ewen.

"In South Africa, ATMs are being stolen with tractors. They [the thieves] are coming, scooping them up and taking them away. But the most important thing is not the money in the ATM, it's the client information that's in there," says Blumenthal.

However, with a SIM card and GPS built in, the information, at least, can be secured. "If the ATM gets up and moves, it knows and wipes the machine," he adds. IoT devices need a similar approach to security, not just to maintain organisations' internal security, but also personal data as the incoming General Data Protection Regulation is set to ratchet up the potential cost of data leaks.

"So how do you secure a network? You don't," he continued. "You secure information that you get through the network [but] 70 per cent of the IoT devices in use in 2020 won't have the appropriate security. That's a scary thing, especially when some of those things are heart monitors or your car."

With many of these devices designed primarily to serve a purpose and down to a cost, they will almost certainly lack the features to be really secure, which means that organisations need instead to secure the information they generate, and adopt defence in depth to prevent the compromise of one device leading to the compromise of others.

"How do we do that? We build better, with security in mind, not necessarily protecting the network but each individual piece of information," said Blumenthal.

The issue of ownership of data is important, added Blumenthal, with social media, cloud computing and digitisation leading to all kinds of data land grabs, sometimes via the small print. "Who posts pictures on Facebook? They adopted a new policy that Facebook owns the rights to use anything that you post, so the ownership of the information that you post, they own.

"You could be driving down the motorway and see a billboard for a new baby food with a picture of your family on it. I think that's scary," said Blumenthal.