The security risks of smarter, more connected devices

Today, most organisations heavily rely on smartphones, laptops, connected office machines and IoT devices. What was once regarded as an improvement in device functionality is now creating more and more of a security threat. This increase in security risk requires a change in how companies approach and manage device security. 

 

The rise of feature creep

Feature creep is the ongoing addition of new functions beyond a product’s original intention, which has dramatically increased across tech over the last several years for a number of reasons. Consumer expectations have evolved at a fast pace, with people now expecting seamless connection, personalisation and integration across all their devices and platforms. Simultaneously, manufacturers are under considerable competitive pressure to differentiate their products and often do so by adding more functionality to the hardware they already have.

 

More functionality, more attack surface

For instance, devices that were initially intended for a single purpose (printers, conferencing systems or even mobile phones) now include app stores, connections to the cloud, sensors and remote administration tools. These functions can improve efficiency and how users experience the device, but they also add layers of software and communication routes that did not exist previously. 

 

Each new feature, inevitably, carries with it potential exposure. The expansion of attack surfaces demonstrates a real increase in the number of ways attackers can get in. A modern smartphone, for example, is nowadays much more than just a communications device but a central hub for email, collaborative working tools, location tracking and apps from third parties, each with its own permissions and requirements. Likewise, office equipment like smart displays or network printers now run complicated operating systems and APIs that can be exploited, and therefore are vulnerable to the same kinds of attacks as traditional IT systems.

 

IoT and visibility challenges

The significant increase in the number of IoT devices only serves to amplify these vulnerabilities further. Many of these devices are installed with very little monitoring and are frequently outside of normal endpoint management systems. Functions such as remote access, automatic updates and connection to cloud services, whilst useful, can create vulnerabilities if they are not correctly secured or maintained. 

 

The negative impact on CISOs and IT departments is considerable. It becomes harder to have a complete view of everything as the number and variety of connected devices grow. Having an up-to-date inventory of all resources, something which was always a fundamental part of security, has become a moving target. Devices can enter and leave the network frequently, and their functionality can evolve through software updates that introduce new features, and with them, new risks over time.

 

Managing risk

Managing patches and vulnerabilities also becomes more complicated. Feature-rich devices often depend on many different software components from different suppliers, each with its own update schedule. Ensuring timely patching can put a strain on resources and expose gaps in security. In some cases, devices may stop receiving updates altogether, leaving any embedded vulnerabilities unaddressed. 

 

Data protection presents yet a further challenge. As devices become more versatile, the boundaries between work and personal use can blend. Functions designed to make things easier, such as sharing files, Bluetooth and connecting to personal cloud services, can go against company policies or rules for compliance. Enforcing consistent controls across many different types of devices requires both technical solutions and clear rules and employees being aware of what is expected.

 

Balancing innovation with oversight

However, it would be too simplistic to perceive feature creep as something solely negative. Additional functions can provide real advantages. Improved collaborative tools, automation and remote management have allowed for new ways of working, particularly in workplaces that are a mix of people in the office and working from other places. For many organisations, these functions are now essential.

 

The problem is balancing these advantages against the risks that come with them. Innovation and security aren’t necessarily opposed to each other, but the speed at which features are added can be too much for organisations to assess and manage their implications. Sometimes, security issues are only looked at after features have already been put into use across the business.

 

This conflict raises wider questions about how a business approaches devices. Rather than accepting feature expansion as an inevitable trajectory, organisations should reconsider how they deal with endpoints and connected devices. This might mean having stricter criteria for what is purchased, paying more attention to how long a device is used for, or choosing devices that have more clearly defined and controlled functions.

 

There is also a growing belief that governance controls need to be updated. Traditional methods that focus on protecting the boundaries of the network are less effective in environments where devices are heavily connected and frequently operating outside the company network. The zero-trust approach, although not a perfect solution, attempts to deal with this by assuming that no device or connection can be automatically trusted.

 

The future of feature-rich devices

Looking ahead, the issue of feature creep isn’t likely to improve. As technologies such as artificial intelligence and edge computing are increasingly embedded in everyday devices, the extent and complexity of functions will continue to expand. This goes far beyond design and strikes at the heart of organisational security, where the margin for error is shrinking fast. Therefore, it is crucial that businesses ensure that they maintain full visibility and oversight of their data.

 

---

 

Petter Neby is founder and CEO at Punkt

 

Main image courtesy of iStockPhoto.com and metamorworks