2. Separate the corporate network: Think of this as an essential step in separating the corporate network from unmanaged IoT devices. This can include security cameras, HVAC systems, temperature control devices, smart TVs, electronic signage, security NVRs and DVRs, media centers, networked lighting and networked clocks. Organizations can utilize VLANs to separate and further track the various IoT devices active on the network. This also allows for analyzing critical functions such as facility operations, medical devices and security operations.
Limit unnecessary Internet access to IoT devices: Many devices run on outdated operating systems. This can be a threat as any such embedded OS may be intentionally extended to command and direct locations. There have been incidents in the past where these systems have been compromised before being shipped out of other countries. It is not possible to completely eliminate IoT security threats, but it is possible to prevent IoT devices from communicating outside the organization. This prevention significantly reduces the risk of potential IoT security breaches.
3. Control vendor access to IoT devices: To improve IoT security, some organizations limit the number of vendors that can access different IoT devices. As a smart choice, you can limit access to strict supervision by employees who are already skilled in the job. If remote access is highly desirable, check that the vendor uses the same solutions similar to those used by in-house personnel. This may include access through the company's VPN solution. Additionally, organizations should assign an employee to oversee the remote access solution on a regular basis. This person should be well versed in some aspect of software testing in order to be proficient in the task.
4. Integrate a vulnerability scanning program: Using a vulnerability scanning program is an effective way to detect different types of devices linked to the network. This can be considered as a useful tool for organizations to improve IoT security. Vulnerability scanners work in conjunction with regular scanning programs to discover known vulnerabilities associated with connected devices. You can easily access several affordable vulnerability scanners in the market. If not a vulnerability scanner, try accessing a free scanning option such as NMAP.
5. Leverage Network Access Control (NAC): Organizations can successfully improve IoT security by implementing a NAC solution consisting of appropriate switches and wireless assimilation. This setup can help detect most devices and identify problematic connections in the network. a NAC solution such as ForeScout, Aruba ClearPass, or CISCO ISE is an effective tool for securing an organization's network. If a NAC solution is not in the budget, a vulnerability scanning program can be utilized for this purpose.
6. Manage updated software: Having outdated software can directly impact your organization's IoT security. Try managing IoT devices by keeping them up-to-date and replacing hardware to ensure smooth operation. Delayed updates can prove to be a key factor in protecting data and triggering serious cybersecurity breaches.
Legal basis:
Related contents of the Decision of the Standing Committee of the National People's Congress on Strengthening the Protection of Network Information
I. The state protects electronic information that can identify citizens' personal identity and involves citizens' personal privacy.
No organization or individual may steal or otherwise illegally acquire citizens' personal electronic information, or sell or illegally provide citizens' personal electronic information to others.
Network service providers and other enterprises and institutions and their staff in the business activities of the collection of citizens' personal electronic information must be kept strictly confidential, shall not be leaked, tampered with, destroyed, and shall not be sold or illegally provided to others.
Two, network service providers and other enterprises and institutions should take technical measures and other necessary measures to ensure information security, to prevent the leakage of personal electronic information collected in the business activities of citizens, damage, loss. In the event of the occurrence or likely occurrence of information leakage, destruction, loss of information, shall immediately take remedial measures.
VI, network service providers for users of website access services, for fixed-line phones, cell phones and other network access procedures, or to provide users with information dissemination services, should sign an agreement with the user or to confirm the provision of services, require users to provide real identity information.
VII, any organization or individual without the consent of the recipient of the electronic information or request, or the recipient of the electronic information expressly refused, shall not send commercial electronic information to its fixed-line telephone, cell phone or personal e-mail.
VIII. Citizens who find network information that infringes on their lawful rights and interests by revealing their identity or spreading their privacy, or who are disturbed by commercial electronic information, have the right to request network service providers to delete the information in question or take other necessary measures to stop it.
9, any organization or individual on the theft or other illegal ways to obtain, sell or illegally provide to others citizens personal electronic information of criminal behavior and other network information criminal behavior, the right to report to the relevant competent authorities, the complaint; the department receiving the report, the complaint shall be dealt with promptly in accordance with the law. The infringer may bring a lawsuit in accordance with the law.
Xi, a violation of this decision, shall be given a warning, fines, confiscation of illegal income, revocation of licenses or cancel the record, close the site, prohibit the responsible personnel to engage in network service business and other penalties, be recorded in the social credit file and shall be published; constitutes a violation of public security management, shall be given public security management penalties. If it constitutes a crime, it shall be investigated for criminal responsibility according to law. Infringement of other people's rights and interests, civil liability in accordance with the law.