"Smartphones are everywhere, sometimes owned by the company, sometimes owned by the employee, sometimes a strange hybrid where the employee buys the phone and the company gives them money toward it," Demopoulos says.
There are technical solutions to the problem; for example, using data encryption and remote wiping of information. But this raises further issues that need to be addressed. "Can a company legally wipe the data?" Demopoulos says. "In some cases it is not clear. Technical solutions do not address legal issues here."
Discovery relates to issues such as attackers being able to remotely read an individual's passport or other identification card remotely via RFID and similar technologies. "In many cases there are technical solutions possible or in existence, but they rarely address ethical, including privacy, and legal issues," Demopoulos says.
What can be done?
While threats will always exist with the IoT as they do with other technology endeavors, it is possible to bolster the security of IoT environments using security tools such as data encryption, strong user authentication, resilient coding and standardized and tested APIs that react in a predictable manner.
Some security tools will need to be applied directly to the connected devices.
"The IoT and its cousin BYOD have the same security issues as traditional computers," Marchany says. "However, IoT devices usually don't have the capability to defend themselves and might have to rely on separate devices such as firewalls [and] intrusion detection/prevention systems. Creating a separate network segment is one option."
In fact, the lack of security tools on the devices themselves or a lack of timely security updates on the devices is what could make securing the IoT somewhat more difficult from other types of security initiatives, Marchany says.
"Physical security is probably more of an issue, since these devices are usually out in the open or in remote locations and anyone can get physical access to it," Marchany says. "Once someone has physical access to the device, the security concerns rise dramatically."
It doesn't help that vendors providing IoT technologies most likely have not designed security into their devices, Marchany says. "In the long term, IT executives should start requiring the vendors to assert [that] their products aren't vulnerable to common attacks such as those listed in the OWASP [Open Web Application Security Project] Top 10 Web Vulnerabilities," he says. IT and security executives should "require vendors to list the vulnerabilities they know exist on their devices as part of the purchase process."
But it's not just up to vendors to protect devices, experts say. IT and security executives will need to have a good handle on what types of devices are connected to the corporate network.
Sign up for Computerworld eNewsletters.