According to a report released by cloud security vendor Zscaler, 91% of the traffic that they saw coming through their network security devices from IoT “things” was NOT encrypted.
This is on enterprise networks where one might think that security is more important, so maybe the number is even higher on home networks, although it would be hard to beat that 91% by very much.
The data covered 56 million IoT device transactions from 1,051 enterprise networks, so it seems like a reasonable sample.
These devices include cameras, watches, printers, TVs, set-top boxes, digital assistants, DVRs, media players, IP phones and a host of other stuff.
Given that, what should you do?
First of all, you should be scanning your corporate network to look for these IoT devices since according to the survey, many of the IoT devices found on corporate networks are, not surprisingly, consumer grade.
Next you need to create a policy regarding what devices you are going to allow. There is no right or wrong answer, but it should be a conscious decision.
Finally, you should isolate all of those devices onto the anything-but network. Meaning, anything but your trusted internal company networks. You probably want to group these into multiple anything-but networks. For example, one network for phones, another for printers, another for smart devices (TVs, coffee pots, water coolers), etc..
While you are in the middle of this, it is probably a good idea to figure out which of these devices patch themselves and which ones vendors even offer patches for. Then you have to figure out how the heck you can patch them.
And, if you CAN turn on encryption, you should probably do so.
Doesn’t this sound like fun? Source: Zscaler.