Develop a security strategy specific to IoT. The scale and heterogeneity of unmanaged and IoT devices mean that these technologies carry significant security risks. Leverage internal and external expertise to get yourself familiar with specific vulnerabilities associated with these devices (e.g, volume of data, lack of visibility, physical and digital threats). Building a security strategy addressing these specificities and taking pre-emptive measures when deploying new devices will help making sure that access to your IoT devices, and IoT networks, is secure.

Invest in solutions that provide visibility. You cannot secure things if you don’t know they exist. Visibility solutions help you complete a thorough inventory of all devices connected to your network, and then use that information to build policies and implement controls to ensure devices are appropriately monitored and secured.

Develop a security talent recruitment program. In a security staffing shortage environment, you need to redefine your recruitment criteria to attract talents. Best practices include committing to inclusive hiring practices, reducing the number of required skills on requisitions, and establishing or taking advantage of apprenticeship programs.

Start by defining ownership of the identity policies of IoT devices (e.g., which devices can connect to what network, which users are allowed to access them).This should be done in partnership with legal and business departments to ensure compliance with local data regulations, raise awareness, and build cross-organizational collaboration.

Look at a mix of vendors and solutions. Existing comprehensive security solutions are not always relevant when introducing new technologies such as IoT. Therefore, protecting your organization and keeping up with the growth of unmanaged and IoT devices connecting to enterprise networks requires you to look at a mix of vendors and solutions. Start by assessing your organization’s specific IoT use cases and security requirements. And when evaluating vendors, maintain a flexible modular security architecture and minimize risk of lock-in to specific proprietary solutions.

Encrypt sensitive IoT data by default. Once you've identified your most sensitive data, the best way to protect it is to obfuscate it. Obfuscating data through encryption, tokenization, and other methods renders the data useless to cybercriminals who want to sell it on the underground market. Existing comprehensive security solutions are not always relevant when introducing new technologies such as IoT. Therefore, protecting your organization and keeping up with the growth of unmanaged and IoT devices connecting to enterprise networks requires you to look at a mix of vendors and solutions. Start by assessing your organization’s specific IoT use cases and security requirements. And when evaluating vendors, maintain a flexible modular security architecture and minimize risk of lock-in to specific proprietary solutions.

Map your IoT attack surface, and forecast and document the most probable, highest-impact IoT security scenarios. Having a plan in place and holding simulation exercises will help gauge organization’s readiness to handle an IoT breach and enable your organization to do so in a way that do not impact customers.

Build an effective patch management process. Assess how patching can be supported and the implications on the hardware design and user experience. Processes like firmware upgrades may confuse end users and increase support costs, which means that robust testing is needed before any patch/upgrade is rolled out to end users. You also need to ensure that it's impossible to disable patching, as this is a technique that hackers will leverage.

Develop strong data privacy requirements. As unmanaged and IoT devices generate important volume of data requiring privacy protection, you need to put in place strong privacy controls, especially for data that needs to be shared with a wide range of business leaders, employees, and partners. Assess how devices generate data and how data is stored in the cloud, and even consider reducing device functionality based on the user's selected privacy permissions.

Prepare the wider organization for the possibility of IoT security breach. It’s not enough for only security teams to be aware of the security risks of unmanaged and IoT devices. Pursue your efforts in training the wider organization on the importance of IoT security, how to spot anomalies in IoT devices, and what to do when they suspect a breach.

Review current visibility. Make sure there are no blind spots. Because of their scale and diversity, it is common for unknown, unmanaged, and IoT devices to sneak on to your enterprise network. Maintaining a regularly updated inventory of unmanaged and IoT devices that are connected to your network will help you keep a grasp on how your IoT deployment is evolving, and help you better assess the need for an updated IoT security strategy.

Develop unique compensation structures for security pros. Security talent is in demand, so use compensation bands that make sense based on the market demand for the position. Consider emphasizing vacation time, learning, and flexible work arrangements for security pros. This lets your organization appeal to the more financially minded candidates, those interested in quality of life, and those seeking roles that offer long-term growth.

Build cross-organizational collaboration to ensure IoT security success. Look at creating an IoT security governance board to ensure the alignment of security and business objectives and provide leverage and backing to initiatives that support or implement those objectives. With a clear security ownership structure in place, you will be better prepared to implement risk-appropriate security controls into your IoT deployments.

Get help from experts to mitigate external and insider threats (malicious or accidental). Partner with solution providers to enhance your security posture and help remediate incidents. Select vendors and put in place policies and processes that will help you gain full visibility on prevented and detected attacks and help you identify undetected attacks. Given that further vendor consolidation is highly likely, a modular architecture also better positions you to respond to changes in the vendor landscape with minimal disruption.

Communicate that there may be other valid, nonsecurity reasons for enabling patching (such as allowing a performance update). Also, if your architecture relies on digital certificates, don't rely on self-signed certificates; ensure that the certificates are issued from a trusted third-party certificate authority.

Strengthen identity and authentication controls. Besides changing default passwords, consider dynamic passwords and other authentication means (e.g., biometrics) to further strengthen the security controls on devices. Evaluate authentication alternatives from fingerprint, face, and voice biometrics to determine how such approaches can be used in ways that minimize customer friction. This will help address security issue for endpoint devices having factory-default passwords.

Aggressively archive and defensibly delete IoT data. Organizations should more aggressively archive and defensibly delete data according to a well-documented retention policy that accounts for compliance, legal, and business requirements.

Internally communicate the criticality of IoT security to improve organizational readiness (for instance when conducting simulation of IoT security breaches). It’s not enough for only security teams to be aware of the security risks of unmanaged and IoT devices. Pursue your efforts in training the wider organization on the importance of IoT security, how to spot anomalies in IoT devices, and what to do when they suspect a breach.

Do not underestimate customer data privacy concerns. As the scale and distributed nature of the data collected by unmanaged and IoT devices keeps growing, stay abreast of relevant legal and regulatory requirements to ensure compliancy of your IoT device's data collection practices and use.

Retain your security talents. As security talent is in demand, focus on retaining your talents by establishing and publicizing succession plans for security teams, letting security staff members build and experiment, and using formal job sharing and rotation programs to broaden your team's skills.

Remember that security requires insights, not just a collection of data. Strengthen security event data collection and normalization capabilities and skills to be able to search through enormous data sets. That will further help identify potential IoT security events and identify and escalate issues.

Build a comprehensive IoT security architecture that protects the IoT device and all other components that interact with the data. Most IoT deployments will require multiple layers of security across devices and networks to mitigate overall IoT security risks.

Ensure your patching approach is accompanied by a robust management console that can monitor health and status of all devices in production and flag or alert security analysts of devices missing the latest patch. And remember that a compromised device that you can't patch will remain a compromised device.

Strengthen your identity controls. While you may have developed lifecycle processes at the device level, make sure you are also managing the identifies of the users who are interacting with these devices, especially when different users of the same device may have different levels of authorization. You also need to talk with your business counterparts to understand how to deal with scenarios such as change in device ownership, either in aftermarket or when a consumer returns a registered device to a manufacturer.

Apply a Zero Trust architecture. Knowing that you can't maintain an effectively secure perimeter, adopt a Zero Trust approach for your organization’s network, devices, and data, making security ubiquitous throughout, not just at the perimeter. Implementing Zero Trust security controls includes segmenting devices based on risk, inspecting network traffic data as it flows between segments, and requiring authentication into the network.