Keeping your network secure, in the era of IoT and ransomware

Ross O’Donovan and Barbara Bogdanescu speak to the Sunday Business Post about the threats and challenges that IoT-enabled devices pose to business networks and security systems.

No matter what kind of business you have, patching and visibility of your network will always be at the core of your security approach.

The issue of patching and keeping systems updated is something that every company must engage in regularly, and with the likes of internet of things (IoT) devices slowly becoming more prevalent in businesses, having those practices is key.

“When a lot of people went through the pain with WannaCry ransomware last year, it has brought to everyone’s attention how painful it is to do it,” said Ross O’Donovan, information security practice lead for Logicalis Ireland.

“What we see at the moment is insider threat and then we see the IoT threat is coming up quite often. Typically perimeters and infrastructure are all locked down pretty well - it’s not perfect, but it’s pretty mature - but we see the new emerging threats coming in on the IoT, and always that insider threat, that user behavioural piece is always there.”

The IoT problem is something that’s going to become more of an issue. If you think of the average business, there will be a multitude of devices connected already. PCs, laptops, tablets, smartphones, modems and maybe some wireless devices like printers can be connected to the same network.

That’s a lot already and if you have more than that, you may need to assume that the security measures for specialised IoT devices don’t match the efforts of your regular devices, said Barbara Bogdanescu, Logicalis Ireland’s chief technologist.

“It’s a great marketing piece now that everything can be IoT enabled . . . but then these devices are left in the network and are never checked or properly secured,” she said. “And there’s still no one framework around IoT for security and no standard in terms of patching or operating - the essential security features that a device needs to have - so it’ s very hard to secure the IoT world completely.”

It ties in with Logicalis Ireland’s own expansion, with it both recruiting people to its security team - it’s on the lookout for consultants and security analysis - and also developing its own IoT practice. Globally, the company is working with partners to put together security frameworks for IoT devices which will come through next year.

Bogdanescu mentions that it’s also working on furthering the security by design philosophy, as bolting security solutions onto a network can be both costly and clunky for the business to work around.

While the lack of security around IoT is a major concern, there are some positives that have come out in the last year. The topic of GDPR has really helped heighten people’s security awareness across the board, especially at the top level, and has made conversations about security much more straightforward.

“It’s been great from an educational perspective, certainly at board level,” said O’Donovan. “It’s hit home and we’re able to have more strategic conversations with customers.”

That said, Bogdanescu says the important thing is that GDPR doesn’t just become a box-ticking exercise. Smaller companies are more in danger of falling into this trap since they wouldn’t have the necessary time or resources to cover the entirety of GDPR.

“There’s been a lot of roadmap projects for one or two-year engagements to help cover the different gaps in security . . . but we’re just hoping that in many cases it’s not just a box-ticking exercise,” she said. “We’ve seen that approach taken as well, especially for the smaller companies which don’t have the resources to cover the entire spectrum of GDPR.

“Usually, they’re left with either not collecting the information they need for the business or resorting to expensive solutions. It’s seen as a cost, rather than a business enabler. It’s important to find the right solutions for each customer, rather than saying, ‘you really need this because of GDPR’.”

This article was first published in the Sunday Business Post on the 25th of November 2018.

Related Information